How to enable Microsoft Authenticator Lite for Outlook mobile
Microsoft Authenticator Lite is another surface for Microsoft Entra users to complete multifactor authentication by using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in Outlook mobile.
Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in.
Note
These are important security enhancements for users authenticating via telecom transports:
- On June 26, the Microsoft managed value of this feature changed from Disabled to Enabled in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from Default to Disabled or scope it to only a group of users.
- Starting September 18, Authenticator Lite will be enabled as part of the *Notification through mobile app verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below.
Prerequisites
Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern Authentication methods policy. You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature.
Tip
We recommend that you also enable system-preferred multifactor authentication (MFA) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign-in with Authenticator Lite before they try less secure telephony methods like SMS or voice call.
If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.
Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.
Users must run a minimum Outlook mobile version.
Operating system Outlook version Android 4.2310.1 iOS 4.2312.1
Enable Authenticator Lite
By default, Authenticator Lite is Microsoft managed in the Authentication methods policy. On June 26, the Microsoft managed value of this feature changed from ‘disabled’ to ‘enabled’. Authenticator Lite is also included as part of the Notification through mobile app verification option in the per-user MFA policy.
Disabling Authenticator Lite in the Microsoft Entra admin center
To disable Authenticator Lite in the Microsoft Entra admin center, complete the following steps:
Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
Browse to Protection > Authentication methods > Microsoft Authenticator.
On the Enable and Target tab, click Enable and All users to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to Any or Push.
Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.
On the Configure tab, for Microsoft Authenticator on companion applications, change Status to Disabled, and click Save.
Note
If your organization still manages authentication methods in the per-user MFA policy, you need to disable Notification through mobile app as a verification option there in addition to the preceding steps. We recommend doing this only after you enable Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend migrating management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2025.
Enable Authenticator Lite via Graph APIs
| Property | Type | Description |
|---|---|---|
| excludeTarget | featureTarget | A single entity that is excluded from this feature. You can only exclude one group from Authenticator Lite, which can be a dynamic or nested group. |
| includeTarget | featureTarget | A single entity that is included in this feature. You can only include one group for Authenticator Lite, which can be a dynamic or nested group. |
| State | advancedConfigState | Possible values are: enabled explicitly enables the feature for the selected group. disabled explicitly disables the feature for the selected group. default allows Microsoft Entra ID to manage whether the feature is enabled or not for the selected group. |
Once you identify the single target group, use the following API endpoint to change the CompanionAppsAllowedState property under featureSettings.
https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
Note
In Graph Explorer, you need to consent to the Policy.ReadWrite.AuthenticationMethod permission.
Request
//Retrieve your existing policy via a GET.
//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.
//Change the Query to PATCH and Run query
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
"id": "MicrosoftAuthenticator",
"state": "enabled",
"isSoftwareOathEnabled": false,
"excludeTargets": [],
"featureSettings": {
"companionAppAllowedState": {
"state": "enabled",
"includeTarget": {
"targetType": "group",
"id": "s4432809-3bql-5m2l-0p42-8rq4707rq36m"
},
"excludeTarget": {
"targetType": "group",
"id": "00000000-0000-0000-0000-000000000000"
}
}
},
"includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [
{
"targetType": "group",
"id": "all_users",
"isRegistrationRequired": false,
"authenticationMode": "any"
}
]
}
User registration
If enabled for Authenticator Lite, users are prompted to register their account directly from Outlook mobile. Authenticator Lite registration isn't available by using MySignIns. Users can also enable or disable Authenticator Lite from within Outlook mobile. For more information about the user experience, see Authenticator Lite support.
Note
If they don't have any MFA methods registered, users are prompted to download Authenticator when they begin the registration flow. For the most seamless experience, provision users with a Temporary Access Pass (TAP) that they can use during Authenticator Lite registration.
Monitoring Authenticator Lite usage
Sign-in logs can show which app was used to complete user authentication. To view the latest sign-ins, use the following call on the beta API endpoint:
GET auditLogs/signIns
If the sign-in was done by phone app notification, under authenticationAppDeviceDetails the clientApp field returns microsoftAuthenticator or Outlook.
If a user has registered Authenticator Lite, the user’s registered authentication methods include Microsoft Authenticator (in Outlook).
Push notifications in Authenticator Lite
Push notifications sent by Authenticator Lite aren't configurable and don't depend on the Authenticator feature settings. Authenticator Lite doesn't support passwordless authentication mode. The settings for features included in the Authenticator Lite experience are listed in the following table. Every authentication includes a number matching prompt and does not include app and location context, regardless of Microsoft Authenticator feature settings.
| Authenticator Feature | Authenticator Lite Experience |
|---|---|
| Number Matching | Enabled |
| Location Context | Disabled |
| Application Context | Disabled |
The following screenshots show what users see when Authenticator Lite sends a push notification.
AD FS adapter and NPS extension
Authenticator Lite enforces number matching in every authentication. If your tenant is using an AD FS adapter or an NPS extension, your users may not be able to complete Authenticator Lite notifications. For more information, see AD FS adapter and NPS extension.
To learn more about verification notifications, see Microsoft Authenticator authentication method.
Common questions
Does Authenticator Lite work as a broker app?
No, Authenticator Lite is only available for push notifications and TOTP.
Can Authenticator Lite be used for SSPR?
No, Authenticator Lite is only available for push notifications and TOTP.
Is this available in Outlook desktop app?
No, Authenticator Lite is only available on Outlook mobile.
Where can users register for Authenticator Lite?
Users can only register for Authenticator Lite from mobile Outlook. Authenticator Lite registration can be managed from aka.ms/mysignins.
Can users register Microsoft Authenticator and Authenticator Lite?
Users that have Microsoft Authenticator on their device can't register Authenticator Lite on that same device. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other.
Known Issues
SSPR Notifications
TOTP codes from Outlook will work for SSPR, but the push notification will not work and will return an error.
Logs are showing additional Conditional Access evaluations
The Conditional Access policies are evaluated each time a user opens their Outlook app, in order to determine whether the user is eligible to register for Authenticator Lite. These checks may appear in logs.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for