App Passwords and Service Mailboxes using 3rd party MFA
Due to the new CSP regulations for authentication, we have begun enforcing our MFA for all of our user accounts using our 3rd party federation/ SAML provider Okta.
One thing that we were informed during our office hour session today is that we can no longer have IMAP unless it is behind an account with MFA and an app password. This is fine as these are service mailboxes that are not logged into very often, but the issue is that azure will only allow me to create an app password if the azure MFA is enabled (we use okta, not azure for MFA). I have tested this on a few of our service mailboxes for our line of bussines applications and it won't let me create the app password until i enable the azure MFA at:
How can I enable app passwords AND use my 3rd party authentication method? Currently it seems like this is not possible and a similiar issue is being discussed here.
What about creating the user accounts for those mailboxes directly in Azure? This way the authentication would not be happening via federation, but directly in AzureAD and Azure MFA could then be used. Same recommendation would apply for creating an emergency admin account in this setup - also this account should be created in AzureAD and use AzureMFA as alternative MFA service to the one you are using for federated auth.
The uservoice entry you mentioned is for a totally different issue - that there is no option to create app passwords when enforcing MFA via conditional access. However, that is not a real issue - you can have MFA enforced via conditional access and additionally enable MFA per user to allow creation of app passwords. The only issue here is that it is not very intuitive to enable MFA on two different places, some people expect to have the ability to create app passwords when using either option.
Unfortunately to do that i would need to use a different domain for those users since i have to federate the entire domain to Okta. I can not change the domain of these mailboxes at all. Also, these mailboxes would need another MFA method other than authenticator app or text message (like a security question or email code) as we don't have a phone number publically available for text codes OR want to have to register an authenticator app for all these accounts (and make sure that device always has the codes).
It just seems more cumbersome to use the azure MFA with the lack of authentication methods.