Restrict password usage on Microsoft Entra apps

Passwords are one of the weakest methods of service authentication and are vulnerable to compromise by bad actors. Microsoft recommends that organizations switch applications in their tenant to a more secure credential method. This improves security and reduces management overhead.

Tenant administrators can block the addition of new passwords to applications in their tenant. This should eventually deprecate password usage in their organization as apps modernize their credential methods and existing passwords expire. Administrators can also speed up this process by identifying apps with existing passwords and removing them.

Block password addition

New password addition can be blocked in the Microsoft 365 admin center.

1. Go to the admin center and select Org settings.
2. Select Restricted Mode, find the Block addition of new password credentials to apps setting, and switch the toggle to On.

Password addition can also be blocked using the Microsoft Entra admin center. For more information, see the app management policy usage documentation.

Enabling this setting blocks the addition of passwords to both new and existing apps. You can gauge the impact of enabling this setting by identifying recent password addition activity. From the Microsoft 365 admin center:

1. Go to the admin center and select Org settings.
2. Select Restricted Mode, find the Block addition of new password credentials to apps setting.
3. Select download report to view password additions in your organization in the last 30 days.

Remove existing passwords

Blocking addition of new passwords doesn't affect existing passwords. Existing apps using passwords can be identified using the Microsoft 365 admin center.

1. Go to the admin center and select Org settings.
2. Select Restricted Mode, find the Block addition of new password credentials to apps setting.
3. Select download report to view existing apps with passwords.

Apps using passwords should be modernized before their existing passwords are removed. Developers should follow the credential guidance to modernize the apps they own. Passwords on existing applications can be removed using the Microsoft Entra admin center, Microsoft Graph PowerShell, or the Microsoft Graph API.