Photo by Ed Hardie / Unsplash
Enable Microsoft Authenticator Lite for Outlook mobile

Enable Microsoft Authenticator Lite for Outlook mobile

Published on 18 Apr 2023

Bastien Perez
Bastien Perez

Clap

Rollout has not yet completed across Outlook applications. If this feature is enabled in your tenant, your users may not yet be prompted for the experience.
To minimize user disruption, Microsoft recommends enabling this feature when the rollout completes.

Authenticator Lite is a new interface that allows Azure Active Directory (Azure AD) users to complete multifactor authentication using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device.

Users can easily fulfill a multifactor authentication requirement using the familiar Authenticator Lite app, which is currently integrated into Outlook mobile.

Users are presented with two options for sign-in in Outlook mobile using Microsoft Authenticator Lite:

  • approving or denying sign-in through a notification
  • copying a time-based one-time passcode (TOTP) to be used for sign-in.
Starting May 26th, 2023, users authenticating via telecom transports will benefit from an important security enhancement.
The 'Microsoft managed' setting for this feature will be automatically enabled, affecting all users in tenants where the feature is set to Microsoft managed. To modify the state of this feature, make sure to do so before the specified date.

To use Microsoft Authenticator Lite for Outlook mobile (preview), your organization must have enabled Microsoft Authenticator push notifications for certain users or groups through the Authentication methods policy in Azure portal or Microsoft Graph API.

Additionally, if you are using Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, ensure that you have upgraded to the latest versions.

However, users enabled for shared device mode on Outlook mobile are not eligible for Authenticator Lite.

It is also important to note that users must have a minimum version of Outlook mobile installed:

Operating system Outlook version
Android 4.2309.1
iOS 4.2309.0

Enable Authenticator Lite

The rollout of this feature is still in progress and may not be available in all Outlook applications yet.
If you have enabled this feature for your tenant, your users may not have been prompted for the experience yet. To avoid disrupting users, Microsoft suggests waiting until the rollout is complete before enabling this feature.

Default configuration during preview is that Authenticator Lite is disabled and Microsoft managed. However, after general availability, the default value for the Microsoft managed state will change to enable Authenticator Lite.

Enablement Authenticator Lite in Azure portal (web)

To turn on Authenticator Lite using the Azure portal, follow these steps:

  • Navigate to the Azure portal > Security > Authentication methods > Microsoft Authenticator.
  • Go to the Enable and Target tab and select Yes and All users to activate the policy for everyone, or choose specific users and groups to add.
  • Set the Authentication mode to Any or Push for the selected users/groups to allow them to use Authenticator Lite during sign-in. Note that only users who have Microsoft Authenticator enabled here can use Authenticator Lite for sign-in or opt-out of the feature. If users don't have Microsoft Authenticator enabled, they won't see Authenticator Lite. Additionally, if a user has Microsoft Authenticator already installed on the same device as Outlook, they won't receive a prompt to register for Authenticator Lite within Outlook.

Enable Authenticator Lite via Microsoft Graph APIs

In Graph Explorer, you need to consent to the Policy.ReadWrite.AuthenticationMethod permission.
Property Type Description
excludeTarget featureTarget A single entity that is excluded from this feature. You can only exclude one group from Authenticator Lite, which can be a dynamic or nested group.
includeTarget featureTarget A single entity that is included in this feature. You can only include one group for Authenticator Lite, which can be a dynamic or nested group.
State advancedConfigState Possible values are:
enabled explicitly enables the feature for the selected group.
disabled explicitly disables the feature for the selected group.
default allows Azure AD to manage whether the feature is enabled or not for the selected group.

First you need to identity a target group you want to use. Then use the following API endpoint to change the CompanionAppsAllowedState property under featureSettings.

https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

User registration

If a user has no MFA methods registered, they will be prompted to download the Authenticator App when they start the registration process for Authenticator Lite. To ensure a smooth registration experience, it is recommended to provide users with a TAP (Temporary Access Pass) which they can use during registration.

When Authenticator Lite is enabled, users will be prompted to register their account directly from Outlook mobile.

It's important to note that Authenticator Lite registration isn't available through MySignIns. Additionally, users have the ability to enable or disable Authenticator Lite directly from within Outlook mobile. For more information about the user experience, refer to the Authenticator Lite support documentation.

Monitoring Authenticator Lite usage


To monitor the usage of Authenticator Lite, you can view the sign-in logs to see which app was used to complete user authentication. You can use the following call on the beta API endpoint to view the latest sign-ins:

GET auditLogs/signIns

If the sign-in was done through phone app notification, the clientApp field under authenticationAppDeviceDetails returns microsoftAuthenticator or Outlook.

If a user has registered Authenticator Lite, their registered authentication methods will include Microsoft Authenticator (in Outlook).

Push notifications in Authenticator Lite

Push notifications sent by Authenticator Lite are not customizable and are not affected by the Authenticator feature settings.

The feature settings for Authenticator Lite are listed in the following table. Each authentication includes a matching number prompt and does not include app and location context, regardless of Microsoft Authenticator feature settings.

Authenticator Feature Authenticator Lite Experience
Number Matching Enabled
Location Context Disabled
Application Context Disabled

The following screenshots demonstrate what users will see when Authenticator Lite sends a push notification.

Frequently Asked Questions

For the up to date FAQ, go to the official documentation.



Comments

banner-Bastien Perez
Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France