Skip to content

Authenticator Lite – Approve Azure MFA prompts with the Outlook app

Microsoft released a new feature where the Outlook mobile app now has some of the Microsoft Authenticator App features onboard. Users can now enroll for Azure MFA using just their Outlook mobile app. No additional installation of the Microsoft Authenticator app is needed. This preview brings both push notifications and TOTP to the Outlook mobile app. Users are prompted for enrollment or can manually register their app to work with a Microsoft 365 account once this feature is enabled.

What does that look like for the end user?

How to enable the feature?

By default, Authenticator Lite is Microsoft managed and disabled during the preview. One month after general availability, the Microsoft managed state default value will change to enabled.

Update 30-03-2022. This feature can now be configured using the UX. How to enable Microsoft Authenticator Lite for Outlook mobile (preview) – Microsoft Entra | Microsoft Learn

As with most of the preview features, this one is not configurable using the UI. For now, the easiest way to configure this is by using Graph Explorer. First, we’ll run a GET request to get the current configuration. In Graph Explorer, you need to consent to the Policy.ReadWrite.AuthenticationMethod permission.

GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

The feature is represented in the “companionAppAllowedState” section and is disabled by default.

Now copy the response, and edit the companionAppAllowedState to “enabled” to enable this feature for all users. When you want to enable the feature for a select group of users, add the groupID instead of all_users to the includetarget section.

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
    "id": "MicrosoftAuthenticator",
    "state": "enabled",
    "isSoftwareOathEnabled": false,
    "excludeTargets": [],
    "featureSettings": {
        "companionAppAllowedState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
        },
        "numberMatchingRequiredState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
        },
        "displayAppInformationRequiredState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
        },
        "displayLocationInformationRequiredState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
        }
    },
    "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
    "includeTargets": [
        {
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false,
            "authenticationMode": "any"
        }
    ]
}

Copy the payload to the Request body section, and change the method to PATCH. Be careful, as this will change the current settings for your Authenticator app. A mistake is easily made at this point.

After running the PATCH, check if the settings are updated by running the same command with the GET method.

User enrollment

As soon as the feature is enabled, the included users might be prompted to register in the Outlook app. During registration, the user might be prompted for step-up authentication. It is also possible to register manually.

This video shows the manual registration.

  1. In the Outlook app, go to the settings icon
  2. Pick the Office 365 account that is eligible for this feature
  3. Scroll down and select “Authenticator” (when this section is not shown, your app is not updated yet)
  4. Switch the toggle “Approve sign-ins” to start the registration process.
  5. The user can be prompted for step-up authentication, for example, via SMS or Temporary Access Pass
  6. When step-up authentication is successful, the feature is enabled.

You can track these events in the audit logs.

In the sign-in logs, under authenticationAppDeivceDetails, the clientApp field will return microsoftAuthenticator or Outlook.

As this feature is brand new, expect some more details to be added to this post over the coming weeks. For now, please note these requirements and current limitations.

  • Outlook app version. The new app is currently rolling out. It can take some time before the app is updated. For Android, the version must be 4.2308.0 or higher. For iOS, the app version needs to be 4.2309.0 or higher.
  • Authenticator app policy. Users need to be enabled for the Microsoft Authenticator app and the Authentication mode set to “Any” or “Push.”
  • Additional Context and Number match. Number match will be enabled for all users. Additional Context is not supported.
  • Chicken – egg. Users need at least one authentication method registered to their account, for example, a phone number or Temporary Access Pass.
  • Support. This feature is not supported for Azure MFA server (legacy). It is supported in both hybrid and cloud-only scenarios but only works with Azure MFA.
  • ADFS. If your organization uses ADFS adapter or NPS extensions, upgrade to the latest versions for a consistent experience.
  • Shared device. Users enabled for shared device mode on Outlook are not eligible for Authenticator Lite

Good to know:

  • You cannot configure the push notifications, as these are independent of the Authenticator feature settings. Number match will be enabled, and Location/App context will be disabled.
  • The registration will still appear as “Microsoft Authenticator” in the Azure and My Sign-ins portal.
  • When both the Authenticator app and Outlook mobile app are registered on one device, the prompt will be sent to the Authenticator app only.
  • When prompted for enrollment, and users click out of the registration or do not complete the authentication will be repromoted one time after seven days.
  • When the user disables the feature, the Authenticator app registration will also be deleted in Azure AD.
  • Authenticator Lite can’t be used for SSPR.

Here is the official Microsoft documentation: How to enable Microsoft Authenticator Lite for Outlook mobile (preview) – Microsoft Entra | Microsoft Learn

Stay safe!

7 thoughts on “Authenticator Lite – Approve Azure MFA prompts with the Outlook app”

  1. Pingback: Authenticator Lite – Approve Azure MFA prompts with the Outlook app – blog by @janbakker_ – 365forall

  2. Pingback: Intune Newsletter - 17th March 2023 - Andrew Taylor

  3. Thanks for the help article, super explanation!
    I am now facing the challenge that on a newly rolled out Android device, the normal Authenticator is already installed during setup and I can not uninstall it (Device Admin App, uninstall error). How can I use the Authenticator Lite on this device? Any idea?

Leave a Reply

Your email address will not be published. Required fields are marked *