App Passwords

Desktop applications, mobile apps, and older protocols that solely rely on username/password do not support authentication factors beyond the standard username/password. A very common example being email clients that have a username/password box as the only way to authenticate.

In a Federated Identity world, with multi-factor implementations, most solutions rely on web browsers with a dynamically generated user interface. Since some of the primary solutions being used with Federated Identity are email solutions like O365, backward compatibility must exist if old clients are used to access the cloud email servers.

To solve this dilemma O365 (Azure AD) now supports App Passwords. It is essentially a second (third, fourth, etc.) password used to authenticate to services, bypassing the multi-factor authentication requirement. The idea is to create a unique App Password per device/application that you want to use. The password is displayed once, as it is intended to be directly entered it into the application, and forgotten. The password should not be stored, or written down for any reason.

When a new application/device needs a password, the routine is repeated and a new unique App Password is created. O365 natively supports 40 App Passwords per account.

Normally, application passwords do not expire, unless specifically revoked by the user or administrator.

Configure App Passwords


Certain applications, like the native email clients found on iOS/Android devices, and also Skype for Business/Lync clients that need to connect to Exchange/Exchange Online for calendar and contact information, cannot use anything but the username and password during authentication. When an organization introduces multi-factor authentication, for example with Specops Authentication, and still want to use these types of clients/software, App Passwords must be used.

Before users can create App Passwords, you will need to allow, and configure their use.

  1. Sign in to the O365 Administrator Portal with O365 administrator privileges: https://portal.office.com/adminportal
  2. Navigate to Users, and click Active users.
  3. Select the More drop-down, and click Setup Azure multi-factor auth.
    Alt text for this image
    This will open a configuration page for multi-factor auth settings where the users that should be able to use App Passwords are listed. The multi-factor authentication and App Password settings are closely related – this can be confusing when multifactor is delivered elsewhere, e.g. via Specops Authentication.
  4. Select the service settings page to configure the general settings.
    1. Enable Allow users to create app passwords to sign in to non-browser apps.
    2. Select which verifications options are to be available to users.
      By default all four options are enabled, but given that this will be a one-time operation, Call to phone and/or Text message to phone are recommended.
  5. Click Save.
    Alt text for this image
  6. Browse back to the users page of the settings, select the users that should be allowed to use App Passwords, and select Enable.

Selected users will now be able to use App Passwords.