To enhance the security in Microsoft Authenticator I enabled App Lock with the assumption to prevent the "push approval" from lock screen without passcode or biometrics, obviously this had no affect at all. The App Lock feature only requires passcode or biometrics if the device is already unlocked, is this a limitation or a bug?
To summarize, passcode/biometrics is required for authentication if the devices is unlocked, approval still works without passcode/biometrics from lock screen.