|
| 1 | +--- |
| 2 | +title: How to enable Microsoft Authenticator Lite for Outlook mobile (preview) |
| 3 | +description: Learn about how to you can set up Microsoft Authenticator Lite for Outlook mobile to help users validate their identity |
| 4 | + |
| 5 | +services: active-directory |
| 6 | +ms.service: active-directory |
| 7 | +ms.subservice: authentication |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 03/14/2023 |
| 10 | + |
| 11 | +ms.author: justinha |
| 12 | +author: sabina-smith |
| 13 | +ms.reviewer: sabina-smith |
| 14 | +manager: amycolannino |
| 15 | + |
| 16 | +ms.collection: M365-identity-device-management |
| 17 | + |
| 18 | +# Customer intent: As an identity administrator, I want to encourage users to understand how default protection can improve our security posture. |
| 19 | +--- |
| 20 | +# How to enable Microsoft Authenticator Lite for Outlook mobile (preview) |
| 21 | + |
| 22 | +Microsoft Authenticator Lite is another surface for Azure Active Directory (Azure AD) users to complete multifactor authentication by using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in [Outlook mobile](https://www.microsoft.com/microsoft-365/outlook-mobile-for-android-and-ios). |
| 23 | + |
| 24 | +Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in. |
| 25 | + |
| 26 | +## Prerequisites |
| 27 | + |
| 28 | +- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. |
| 29 | +- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience. |
| 30 | +- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite. |
| 31 | +- Users must run a minimum Outlook mobile version. |
| 32 | + |
| 33 | + | Operating system | Outlook version | |
| 34 | + |:----------------:|:---------------:| |
| 35 | + |Android | 4.2308.0 | |
| 36 | + |iOS | 4.2309.0 | |
| 37 | + |
| 38 | +## Enable Authenticator Lite |
| 39 | + |
| 40 | +By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) and disabled during preview. After general availability, the Microsoft managed state default value will change to enable Authenticator Lite. |
| 41 | + |
| 42 | +| Property | Type | Description | |
| 43 | +|----------|------|-------------| |
| 44 | +| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group from Authenticator Lite, which can be a dynamic or nested group.| |
| 45 | +| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for Authenticator Lite, which can be a dynamic or nested group.| |
| 46 | +| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. | |
| 47 | + |
| 48 | +Once you identify the single target group, use the following API endpoint to change the **CompanionAppsAllowedState** property under **featureSettings**. |
| 49 | + |
| 50 | +```http |
| 51 | +https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator |
| 52 | +``` |
| 53 | + |
| 54 | +>[!NOTE] |
| 55 | +>In Graph Explorer, you need to consent to the **Policy.ReadWrite.AuthenticationMethod** permission. |
| 56 | +
|
| 57 | +### Request |
| 58 | + |
| 59 | +```http |
| 60 | +PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy |
| 61 | +Content-Type: application/json |
| 62 | + |
| 63 | +{ |
| 64 | + "CompanionAppAllowedState": { |
| 65 | + "state": "enabled", |
| 66 | + "excludeTargets": [ |
| 67 | + { |
| 68 | + "id": "s4432809-3bql-5m2l-0p42-8rq4707rq36m", |
| 69 | + "targetType": "group" |
| 70 | + } |
| 71 | + ], |
| 72 | + "includeTargets": [ |
| 73 | + { |
| 74 | + "id": "all_users", |
| 75 | + "targetType": "group" |
| 76 | + } |
| 77 | + ] |
| 78 | + } |
| 79 | +} |
| 80 | +``` |
| 81 | + |
| 82 | + |
| 83 | +## User registration |
| 84 | +If enabled for Authenticator Lite, users are prompted to register their account directly from Outlook mobile. Authenticator Lite registration isn't available by using [MySignIns](https://aka.ms/mysignins). Users can also enable or disable Authenticator Lite from within Outlook mobile. For more information about the user experience, see [Authenticator Lite support](https://aka.ms/authappliteuserdocs). |
| 85 | + |
| 86 | + |
| 87 | +:::image type="content" border="true" source="./media/how-to-mfa-authenticator-lite/registration.png" alt-text="Screenshot of how to register Authenticator Lite."::: |
| 88 | + |
| 89 | +## Monitoring Authenticator Lite usage |
| 90 | +[Sign-in logs](/graph/api/signin-list) can show which app was used to complete user authentication. To view the latest sign-ins, use the following call on the beta API endpoint: |
| 91 | + |
| 92 | +```http |
| 93 | +GET auditLogs/signIns |
| 94 | +``` |
| 95 | + |
| 96 | +If the sign-in was done by phone app notification, under **authenticationAppDeivceDetails** the **clientApp** field returns **microsoftAuthenticator** or **Outlook**. |
| 97 | + |
| 98 | +If a user has registered Authenticator Lite, the user’s registered authentication methods include **Microsoft Authenticator (in Outlook)**. |
| 99 | + |
| 100 | +## Push notifications in Authenticator Lite |
| 101 | +Push notifications sent by Authenticator Lite aren't configurable and don't depend on the Authenticator feature settings. The settings for features included in the Authenticator Lite experience are listed in the following table. |
| 102 | + |
| 103 | +| Authenticator Feature | Authenticator Lite Experience| |
| 104 | +|:------------------------:|:----------------------------:| |
| 105 | +| Number Matching | Enabled | |
| 106 | +| Location Context | Disabled | |
| 107 | +| Application Context | Disabled | |
| 108 | + |
| 109 | +The following screenshots show what users see when Authenticator Lite sends a push notification. |
| 110 | + |
| 111 | +:::image type="content" border="true" source="./media/how-to-mfa-authenticator-lite/notification.png" alt-text="Screenshot of push notification in Outlook mobile."::: |
| 112 | + |
| 113 | +## AD FS adapter and NPS extension |
| 114 | + |
| 115 | +Authenticator Lite enforces number matching in every authentication. If your tenant is using an AD FS adapter or an NPS extension, your users may not be able to complete Authenticator Lite notifications. For more information, see [AD FS adapter](how-to-mfa-number-match.md#ad-fs-adapter) and [NPS extension](how-to-mfa-number-match.md#nps-extension). |
| 116 | + |
| 117 | +To learn more about verification notifications, see [Microsoft Authenticator authentication method](concept-authentication-authenticator-app.md). |
| 118 | + |
| 119 | +## Common questions |
| 120 | + |
| 121 | +### Does Authenticator Lite work as a broker app? |
| 122 | +No, Authenticator Lite is only available for push notifications and TOTP. |
| 123 | + |
| 124 | +### Can Authenticator Lite be used for SSPR? |
| 125 | +No, Authenticator Lite is only available for push notifications and TOTP. |
| 126 | + |
| 127 | +### Is this available in Outlook desktop app? |
| 128 | +No, Authenticator Lite is only available on Outlook mobile. |
| 129 | + |
| 130 | +### Where can users register for Authenticator Lite? |
| 131 | +Users can only register for Authenticator Lite from mobile Outlook. Authenticator Lite registration can be managed from [aka.ms/mysignins](https://aka.ms/mysignins). |
| 132 | + |
| 133 | +### Can users register Microsoft Authenticator and Authenticator Lite? |
| 134 | + |
| 135 | +Users that have Microsoft Authenticator on their device can't register Authenticator Lite. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other. |
| 136 | + |
| 137 | +## Next steps |
| 138 | + |
| 139 | +[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md) |
0 commit comments