Microsoft released a new feature where the Outlook mobile app now has some of the Microsoft Authenticator App features onboard. Users can now enroll for Azure MFA using just their Outlook mobile app. No additional installation of the Microsoft Authenticator app is needed. This preview brings both push notifications and TOTP to the Outlook mobile app. Users are prompted for enrollment or can manually register their app to work with a Microsoft 365 account once this feature is enabled.
What does that look like for the end user?
How to enable the feature?
By default, Authenticator Lite is Microsoft managed and disabled during the preview. One month after general availability, the Microsoft managed state default value will change to enabled.
Update 30-03-2022. This feature can now be configured using the UX. How to enable Microsoft Authenticator Lite for Outlook mobile (preview) – Microsoft Entra | Microsoft Learn
As with most of the preview features, this one is not configurable using the UI. For now, the easiest way to configure this is by using Graph Explorer. First, we’ll run a GET request to get the current configuration. In Graph Explorer, you need to consent to the Policy.ReadWrite.AuthenticationMethod permission.
GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
The feature is represented in the “companionAppAllowedState” section and is disabled by default.
Now copy the response, and edit the companionAppAllowedState to “enabled” to enable this feature for all users. When you want to enable the feature for a select group of users, add the groupID instead of all_users to the includetarget section.
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
"id": "MicrosoftAuthenticator",
"state": "enabled",
"isSoftwareOathEnabled": false,
"excludeTargets": [],
"featureSettings": {
"companionAppAllowedState": {
"state": "enabled",
"includeTarget": {
"targetType": "group",
"id": "all_users"
},
"excludeTarget": {
"targetType": "group",
"id": "00000000-0000-0000-0000-000000000000"
}
},
"numberMatchingRequiredState": {
"state": "enabled",
"includeTarget": {
"targetType": "group",
"id": "all_users"
},
"excludeTarget": {
"targetType": "group",
"id": "00000000-0000-0000-0000-000000000000"
}
},
"displayAppInformationRequiredState": {
"state": "enabled",
"includeTarget": {
"targetType": "group",
"id": "all_users"
},
"excludeTarget": {
"targetType": "group",
"id": "00000000-0000-0000-0000-000000000000"
}
},
"displayLocationInformationRequiredState": {
"state": "enabled",
"includeTarget": {
"targetType": "group",
"id": "all_users"
},
"excludeTarget": {
"targetType": "group",
"id": "00000000-0000-0000-0000-000000000000"
}
}
},
"includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [
{
"targetType": "group",
"id": "all_users",
"isRegistrationRequired": false,
"authenticationMode": "any"
}
]
}
Copy the payload to the Request body section, and change the method to PATCH. Be careful, as this will change the current settings for your Authenticator app. A mistake is easily made at this point.
After running the PATCH, check if the settings are updated by running the same command with the GET method.
User enrollment
As soon as the feature is enabled, the included users might be prompted to register in the Outlook app. During registration, the user might be prompted for step-up authentication. It is also possible to register manually.
This video shows the manual registration.
- In the Outlook app, go to the settings icon
- Pick the Office 365 account that is eligible for this feature
- Scroll down and select “Authenticator” (when this section is not shown, your app is not updated yet)
- Switch the toggle “Approve sign-ins” to start the registration process.
- The user can be prompted for step-up authentication, for example, via SMS or Temporary Access Pass
- When step-up authentication is successful, the feature is enabled.
You can track these events in the audit logs.
In the sign-in logs, under authenticationAppDeivceDetails, the clientApp field will return microsoftAuthenticator or Outlook.
As this feature is brand new, expect some more details to be added to this post over the coming weeks. For now, please note these requirements and current limitations.
- Outlook app version. The new app is currently rolling out. It can take some time before the app is updated. For Android, the version must be 4.2308.0 or higher. For iOS, the app version needs to be 4.2309.0 or higher.
- Authenticator app policy. Users need to be enabled for the Microsoft Authenticator app and the Authentication mode set to “Any” or “Push.”
- Additional Context and Number match. Number match will be enabled for all users. Additional Context is not supported.
- Chicken – egg. Users need at least one authentication method registered to their account, for example, a phone number or Temporary Access Pass.
- Support. This feature is not supported for Azure MFA server (legacy). It is supported in both hybrid and cloud-only scenarios but only works with Azure MFA.
- ADFS. If your organization uses ADFS adapter or NPS extensions, upgrade to the latest versions for a consistent experience.
- Shared device. Users enabled for shared device mode on Outlook are not eligible for Authenticator Lite
Good to know:
- You cannot configure the push notifications, as these are independent of the Authenticator feature settings. Number match will be enabled, and Location/App context will be disabled.
- The registration will still appear as “Microsoft Authenticator” in the Azure and My Sign-ins portal.
- When both the Authenticator app and Outlook mobile app are registered on one device, the prompt will be sent to the Authenticator app only.
- When prompted for enrollment, and users click out of the registration or do not complete the authentication will be repromoted one time after seven days.
- When the user disables the feature, the Authenticator app registration will also be deleted in Azure AD.
- Authenticator Lite can’t be used for SSPR.
Here is the official Microsoft documentation: How to enable Microsoft Authenticator Lite for Outlook mobile (preview) – Microsoft Entra | Microsoft Learn
Stay safe!
Pingback: Authenticator Lite – Approve Azure MFA prompts with the Outlook app – blog by @janbakker_ – 365forall
Thanks for posting this. When I tried to run this via graph, I was receiving an error indicating that I needed to provide consent. Unfortunately, I didn’t know where to provide consent. It needs to be approved in Policy.ReadWrite.AuthenticationMethod. More details can be found at https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/authentication/how-to-mfa-authenticator-lite.md.
Thanks, added!
You think it support/will support App Protection Policies?
Pingback: Intune Newsletter - 17th March 2023 - Andrew Taylor
Thanks for the help article, super explanation!
I am now facing the challenge that on a newly rolled out Android device, the normal Authenticator is already installed during setup and I can not uninstall it (Device Admin App, uninstall error). How can I use the Authenticator Lite on this device? Any idea?
The Microsoft AZ-104 exam is your gateway to a rewarding career in Azure administration. With the right preparation strategy and the support of trusted resources like DumpsCompany, you can confidently tackle this exam and emerge victorious. https://www.dumpscompany.com/AZ-104-exam-dumps