Deleted app passwords for Multi-Factor Authentication still work in Office 365, Azure, or Intune

Note

Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information about this change, read this blog post.

PROBLEM

After you delete an app password that's used for Azure Multi-Factor Authentication, the app password appears to continue to work.

CAUSE

This problem occurs because the token that's acquired after a user successfully signs in by using an app password continues to work until the token expires. The token works only on devices on which the user successfully signed in.

SOLUTION

Wait for the token to expire. This may take from 8 to 24 hours, depending on the service that the user is accessing. This practice follows the same guidelines for when passwords are changed or when users are deleted.

MORE INFORMATION

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.