Enable Passwordless Authentication with Azure AD
Organizations can now implement passwordless authentication across hybrid environments with confidence since passwordless authentication is generally available. With one seamless experience across a range of devices and services, Microsoft is committed to providing a familiar and easy-to-use experience.
As part of Azure AD, Microsoft offers three different types of passwordless authentication that you can choose from to accommodate the different types of roles you are likely to find in an organization.
The Microsoft Authenticator app provides users with the most accessible way to implement passwordless authentication. Microsoft Authenticator app provides security and convenience without requiring big investments in hardware, including SMS, FIDO2, and Windows Hello for Business. This article explains how to use Microsoft Authenticator without a password.
I recently published a post about the Passwordless Authentication & it’s approach to identity management and why it has become a standard practice in Identity and Access Management. Please take a few minutes to read it, if you have not already.
How to Enable Passwordless Authentication for Azure AD identities
Log in to Azure AD here.
Click Azure Active Directory under Favorites on the left of the portal window.
In the Azure AD pane, scroll down the list of options on the left, and click Security under Manage.
Select the Microsoft Authenticator method,
Set the policy to Enabled state, and finally
Select the Group that contains your Pilot set of users. i Selected my Pilot group
Select 3(…) horizontal dots and click on Configure.
In Configure screen, Please select the Authentication mode to enable for your tenant
Finally Click on Save to enable Configuration
Self-register Microsoft Authenticator
Before using passwordless sign-in, users need to register the Microsoft Authenticator app as an authentication method. Microsoft Authenticator users who have already registered the app to use it with multifactor authentication will not have to register it again to use it with passwordless logins.
Users have the option to choose passwordless authentication once passwordless authentication is enabled in the tenant. The Microsoft Authenticator app can also be used to set up work or school accounts, but it works best if the user has at least one multifactor authentication factor already registered in advance or a Temporary Access Pass. The temporary access pass is a new feature, available in public preview right now, that gives users a time-limited code that can be used for passwordless credentials.
Sign in for Passwordless registration via MySecurity Info using Microsoft's Authenticator app.
Click Add method
Choose the method from selection, such as Authenticator app
After selecting Authenticator App, Click Add
A wizard guides "the user" through the process of adding and configuring the auth method, starting with instructing the user to download and install Microsoft Authenticator. During the first step, the user is required to download and install the Microsoft Authenticator application. Click Next.
The user is prompted with a prompt from the wizard on how to add an account in Authenticator. Click Next.
Adding an account is now accomplished by scanning a QR code that is displayed in the wizard.
At a mobile device, please perform the following steps:
1) Download Microsoft Authenticator App
2) Select Scan a QR Code
3) Allow Authenticator to access the camera of device.
4) Allow Authenticator to send you notifications and scan the QR code.
5) Approve the Authentication step
Back on the securityInfo page, Click Next.
Now perform the following steps on configured Authenticator app on device
1) Click on your Configured account.
2) Select Enable phone sign-in
3) Select Continue to set passcode on device & Device registration with Azure AD
4) Provide your account password.
5) Approve the request on app.
6) Select Register to continue
7) Verify that Passwordless enabled on your App.
Additionally, the icon for the Microsoft Authenticator authentication method has changed from 2FA to Passwordless in MySecurity Info.
End User Experience
Login to any app with your work account such as Outlook Web access (OWA)
Select Use an app instead.
Passwordless sends a push notification to the Authenticator App on the device registered and enabled for Passwordless when the app sign-in option is selected.
Following the user's selection of the right number from the options, the sign-in request gets approved, and authentication is completed successful.
Authentication activities will automatically trigger a push to the Authenticator app, so the user does not have to enter a password. The passwordless auth method can be used if needed, but a password can also be entered in its place if the passwordless auth method cannot be used.
The process of configuring passwordless sign-in can seem overwhelming at the beginning. Passwordless sign-in also provides a more secure user experience when compared with a traditional password-based authentication method, such as two-factor authentication.