At Dynamic People we are already very familiar with using Multi-Factor Authentication in our Microsoft 365 tenant using the Microsoft Authenticator app. I have been following Microsoft’s promises surrounding password less login for a while now. Testing out Azure’s newest feature passwordless sign-in with the Microsoft Authenticator App was the next logical step in this journey.
There are some prerequisites that you need to think about:
- You should already have a MFA strategy in place and allow MFA using Push notifications.
- The latest version of Microsoft Authenticator needs to be installed on your iOS or Android device.
Combined registration experience
Passwordless login using the Microsoft Authenticator app requires another feature to be enable. Starting on August 15th 2020 this feature is turned on by default on all new Azure AD environments. This feature is called the combined registration experience and can be enabled in older environments as follows:
- Sign in to the Azure Portal as an User or Global Administrator.
- Go to Azure Active Directory > Users Settings > Manage user feature preview settings.
- Under Users can user the combined security information registration experience, choose either a group or select All Users.
This does change the look and feel of the MFA and Self Service password resets to the https://myaccount.microsoft.com environment, so maybe test it out first and change your documentation.
Install for the end-user
Now we get to the steps for enabling the passwordless sign-in for the end-user.
- Sign in to the Azure portal as an User or Global Administrator.
- Go to Azure Active Directory > Security > Authentication methods > Authentication method policy (preview).
- Enable the settings Microsoft Authenticator in (preview).
- Set the target to All Users or Select Users and click Save.
Install as the end-user
Enabling passwordless sign-in as the end user goes as follows:
- Browse tohttps://aka.ms/mfasetup
- Sign in add the authenticator app by clicking Add method > Authenticator app > click add.
- Follow the on-screen instructions
- Click Done to complete the setup.
When you are done with previous steps or already had the app configured, following steps are necessary to set it up:
- In the Microsoft Authenticator app, tap your account and choose Enable phone sign-in.
- Follow the in-app instructions.
Just in a few hours
You have configured passwordless login and after a few hours of Microsoft synchronizing a lot of Microsoft services including Azure AD Application registrations let you login using this method. All you need to do is fill in your email address and in the Microsoft Authenticator app you get 3 numbers, all you have to do to login is to tap the number shown on screen.
This feature is brand new (since Microsoft Ignite generally available) and all Microsoft services hook into this, so yeah, if you want, you can go passwordless!