How to Enable Microsoft Authenticator for Outlook Mobile

Microsoft Authenticator supports companion apps such as Microsoft Outlook for mobile to provide a simplified ‘Lite’ experience for users to use a strong Multi-Factor authentication method without installing additional MFA applications on their mobile device. Using Authenticator Lite on Outlook for mobile, instead of the Microsoft Authenticator App provides the same level of protection for user identities, such as the Number Matching and OTP experience.

In this tutorial, I am going to explain how the Authenticator Lite experience works, whether you should use it and how to enable it in the Entra Portal and using Microsoft Graph PowerShell.

What is Authenticator Lite for Outlook mobile?

Authenticator Lite is a simple and secure multi-factor authentication method built directly into common Microsoft mobile applications, more specifically Outlook for mobile on IOS and Android operating systems. This simplified experience means you can complete secure OTP and push notification second-step authentication directly from applications that you may already have installed on your mobile.

For Outlook, the Authenticator Lite experience is available on Android Outlook version 4.2308.0 and above and for IOS Outlook 4.2309.0 and above.

Pre-requisites for Authenticator Lite

1. You need to have the Outlook app downloaded on your IOS or Android devices and the app must be configured with your Work or School account. If you do not have Outlook installed and configured, you will need to do this first before you can enable Authenticator Lite.

2. You must follow the steps below you enable the necessary settings in your tenant. This can be done to all users at once or slowly rolled out to specific users in your organisation.

3. You must already have a second-factor authentication method configured on your account. This can be any other method which is not the Microsoft Authenticator app.

Should I use Microsoft Authenticator or Authenticator Lite?

The full Microsoft Authenticator application will give you a better experience. For example, if you need to connect to more than one Microsoft 365 account, this would be easier to manage with the full Microsoft Authenticator app over the Lite experience in Outlook for mobile.

You should use it however if you are currently using SMS or Voice based authentication and access company data through Outlook on your mobile device (while not having the Microsoft Authenticator app installed).

Does Authenticator Lite take precedence over Microsoft Authenticator?

No. If you have the Microsoft Authenticator app installed on your device, you will not be able to register for Authenticator Lite on Outlook for mobile as the companion app (Outlook) will detect Microsoft Authenticator is installed and not prompt you to register when enabled. 

What is the default status for Authenticator Lite?

By default, Authenticator Lite is set to Microsoft Managed. This means that Microsoft can manage and control the default status of Authenticator Lite. Prior to June 9th 2023, the Microsoft Managed status is defaulted to Disabled, however, after that date, Authenticator Lite is automatically enabled unless you choose to disable it.

In what scenarios should I deploy Authenticator Lite?

Authenticator Lite can be used to simplify onboarding users onto Multi-Factor Authentication and migrating users away from less secure and convenient authentication methods such as SMS and Voice.

Negating the need to install an additional app onto their device, can help with new user onboarding. However, personally, I find this experience somewhat unnecessary. If a user has the Outlook for mobile app installed, you could quite easily imagine they have the Authenticator app installed already. If they don’t already use Outlook for mobile, onboarding should involve them installing Microsoft Authenticator at a minimum. There is no argument against a user installing the Outlook for mobile app and accessing company data on a personal device without installing Microsoft Authenticator, if there was an objection, accessing company data on that device should not happen or a company device should be issued if it is deemed a necessity. 

Although, where you have inherited an imperfect environment or SMS auth was previously deployed due to personal preference or lack of enforcement of a stronger method, Authenticator Lite can be used as a quick win to meet requirements and can be seen as an intermediary step to rolling out the Microsoft Authenticator app. The argument against this is that you are adding additional complexity for you and your end users. Why double your efforts, documentation and communication when you could just roll out the Microsoft Authenticator app.

Authenticator Lite is a convenient experience to simplify the user’s MFA experience and satisfy MFA requirements, this can be useful in simple environments and as an intermediary step to assist the rollout of MFA. In more complex environments, where some users may have second cloud accounts for privileged tasks, the Microsoft Authenticator app for all users will provide better flexibility and consistency.

How to enable Authenticator Lite through the Web UI

Authenticator Lite can be enabled through the Authenticate Methods page of Azure Active Directory. Follow the steps below to enable it for all users in your organisation.

  1. Login to Microsoft Entra, expand Protect & secure then select Authentication methods.
Select Protect & Secure then Authentication Methods
Select Protect & Secure then Authentication Methods

2. Select Microsoft Authenticator from the list of methods.

Select Microsoft Authenticator
Select Microsoft Authenticator

3. Select the Configure tab.

Select Configure
Select Configure

4. Under Microsoft Authenticator on companion applications, change the state to Enabled and click Save.

Change the status to Enabled
Change the status to Enabled

How to enable Authenticator Lite with Microsoft Graph

If you need to programmatically enable Authenticator Lite using PowerShell, you can do so with the Microsoft Graph PowerShell modules. If you do not have these modules installed already, check out my guide on How To Install the Microsoft Graph PowerShell Module. Follow the steps below to enable this setting with PowerShell:

1. Start by connecting to Microsoft Graph with the Policy.ReadWrite.AuthenticationMethods permission scope:
Connect-MgGraph -Scope Policy.ReadWrite.AuthenticationMethod

2. You will need to define the URI for the Microsoft Authenticator method settings:

$uri = "https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator"

3. Then use the Invoke-MgGraphRequest cmdlet to get the policy configuration from your tenant and store this within a variable in your session. This will be saved as a hash table in the $body and used as our payload.

$body = Invoke-MgGraphRequest -uri $uri -method GET

4. The payload now needs to be modified to meet our desired new configuration:

$body.featureSettings.companionAppAllowedState.state = `
$body.featureSettings.companionAppAllowedState.state.Replace('disabled','enabled')

5.  If you have previously configured number matching through the portal, you must also remove this setting from your payload, you can do this using the following command:

$body.featureSettings.Remove('numberMatchingRequiredState')

If you fail to perform this step, you will be met with the following error at the next step:

“code”:”badRequest”,”message”:”Persistance of policy failed with error: Microsoft Authenticator’s number matching feature can no longer be toggled as part of featureSettings

6. Lastly, run the Invoke-MgGraphRequest command with the PATCH method to update your configuration:

Invoke-MgGraphRequest -uri $uri -body $body -method PATCH

7. Verify your configuration has changed using the following command:

(Invoke-MgGraphRequest -uri $uri -method GET).featuresettings.companionAppAllowedState

Copy and paste the full script below:

#Connect to Microsoft Graph
Connect-MgGraph -Scope Policy.ReadWrite.AuthenticationMethod

#Define the URI
$uri = "https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator"

#Get the current configuration
$body = Invoke-MgGraphRequest -uri $uri -method GET

#Modify your payload
$body.featureSettings.companionAppAllowedState.state = $body.featureSettings.companionAppAllowedState.state.Replace('disabled','enabled')
$body.featureSettings.Remove('numberMatchingRequiredState')

#Configure your new policy settings
Invoke-MgGraphRequest -uri $uri -body $body -method PATCH

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply