Hi Omid Shojaee,
Thank you for choosing Microsoft community.
Based on my knowledge, if security defaults are turned on, MFA (multi-factor authentication) is enforced and asks for using only the Microsoft Authenticator app using notifications - which means app password is not applicable. (Methods in MFA mainly include authenticator app, phone call, text message and app password.)
Policies enforced
Deployment considerations
App password is an old way of authentication and is recommended for desktop apps which don't support modern authentication. For Office 2013 clients and later desktop apps which support modern authentication, it's recommended to use two-step authentication (or MFA). And users can always Change your two-step verification method and settings (microsoft.com).
(Since there are an abundant cases regarding the lock of authenticator app, it's recommended that users set up at least 2 verification methods, i.e: authenticator app + text message, in case one of the method becomes unavailable. )
So far as I know, app passwords are usually applied to desktop apps. If most apps for your users are web-based, app passwords might not be necessary. And I've further checked that main apps included in Business Basic are Office apps for the web, that may be the reason @Palcouk said so.
Microsoft 365 Business Basic | Microsoft 365
If you still prefer app passwords as the way for authentication, you may turn off security defaults and maybe enable per-user MFA to check if it's applicable.
Hope it helps! If any update, welcome to share with us.
Thanks & Stay safe,
Qian
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
