To minimize user disruption, Microsoft recommends enabling this feature when the rollout completes.
Authenticator Lite is a new interface that allows Azure Active Directory (Azure AD) users to complete multifactor authentication using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device.
Users can easily fulfill a multifactor authentication requirement using the familiar Authenticator Lite app, which is currently integrated into Outlook mobile.
Users are presented with two options for sign-in in Outlook mobile using Microsoft Authenticator Lite:
- approving or denying sign-in through a notification
- copying a time-based one-time passcode (TOTP) to be used for sign-in.
The 'Microsoft managed' setting for this feature will be automatically enabled, affecting all users in tenants where the feature is set to Microsoft managed. To modify the state of this feature, make sure to do so before the specified date.
To use Microsoft Authenticator Lite for Outlook mobile (preview), your organization must have enabled Microsoft Authenticator push notifications for certain users or groups through the Authentication methods policy in Azure portal or Microsoft Graph API.
Additionally, if you are using Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, ensure that you have upgraded to the latest versions.
However, users enabled for shared device mode on Outlook mobile are not eligible for Authenticator Lite.
It is also important to note that users must have a minimum version of Outlook mobile installed:
| Operating system | Outlook version |
|---|---|
| Android | 4.2309.1 |
| iOS | 4.2309.0 |
Enable Authenticator Lite
If you have enabled this feature for your tenant, your users may not have been prompted for the experience yet. To avoid disrupting users, Microsoft suggests waiting until the rollout is complete before enabling this feature.
Default configuration during preview is that Authenticator Lite is disabled and Microsoft managed. However, after general availability, the default value for the Microsoft managed state will change to enable Authenticator Lite.
Enablement Authenticator Lite in Azure portal (web)
To turn on Authenticator Lite using the Azure portal, follow these steps:
- Navigate to the Azure portal > Security > Authentication methods > Microsoft Authenticator.
- Go to the Enable and Target tab and select Yes and All users to activate the policy for everyone, or choose specific users and groups to add.
- Set the Authentication mode to Any or Push for the selected users/groups to allow them to use Authenticator Lite during sign-in. Note that only users who have Microsoft Authenticator enabled here can use Authenticator Lite for sign-in or opt-out of the feature. If users don't have Microsoft Authenticator enabled, they won't see Authenticator Lite. Additionally, if a user has Microsoft Authenticator already installed on the same device as Outlook, they won't receive a prompt to register for Authenticator Lite within Outlook.
Enable Authenticator Lite via Microsoft Graph APIs
| Property | Type | Description |
|---|---|---|
| excludeTarget | featureTarget | A single entity that is excluded from this feature. You can only exclude one group from Authenticator Lite, which can be a dynamic or nested group. |
| includeTarget | featureTarget | A single entity that is included in this feature. You can only include one group for Authenticator Lite, which can be a dynamic or nested group. |
| State | advancedConfigState | Possible values are: enabled explicitly enables the feature for the selected group. disabled explicitly disables the feature for the selected group. default allows Azure AD to manage whether the feature is enabled or not for the selected group. |
First you need to identity a target group you want to use. Then use the following API endpoint to change the CompanionAppsAllowedState property under featureSettings.
https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticatorUser registration
When Authenticator Lite is enabled, users will be prompted to register their account directly from Outlook mobile.
It's important to note that Authenticator Lite registration isn't available through MySignIns. Additionally, users have the ability to enable or disable Authenticator Lite directly from within Outlook mobile. For more information about the user experience, refer to the Authenticator Lite support documentation.
Monitoring Authenticator Lite usage
To monitor the usage of Authenticator Lite, you can view the sign-in logs to see which app was used to complete user authentication. You can use the following call on the beta API endpoint to view the latest sign-ins:
GET auditLogs/signInsIf the sign-in was done through phone app notification, the clientApp field under authenticationAppDeviceDetails returns microsoftAuthenticator or Outlook.
If a user has registered Authenticator Lite, their registered authentication methods will include Microsoft Authenticator (in Outlook).
Push notifications in Authenticator Lite
Push notifications sent by Authenticator Lite are not customizable and are not affected by the Authenticator feature settings.
The feature settings for Authenticator Lite are listed in the following table. Each authentication includes a matching number prompt and does not include app and location context, regardless of Microsoft Authenticator feature settings.
| Authenticator Feature | Authenticator Lite Experience |
|---|---|
| Number Matching | Enabled |
| Location Context | Disabled |
| Application Context | Disabled |
The following screenshots demonstrate what users will see when Authenticator Lite sends a push notification.
Frequently Asked Questions
For the up to date FAQ, go to the official documentation.
Clap
Comments