Last Update: Nov 19, 2024 | Published: Mar 04, 2021
Microsoft announced at its Ignite conference, which ran March 2nd – 4th 2021, that passwordless authentication is now generally available. Microsoft has been pushing passwordless over the past couple of years as a more secure way to provide access than passwords and multifactor authentication.
Now that passwordless authentication is generally available, organizations can roll out passwordless across hybrid environments with confidence. Microsoft has been working hard to provide a familiar and simple to use experience that works with a wide range of devices and services.
The most accessible way for users to start with passwordless authentication is using the Microsoft Authenticator app. While SMS, FIDO2 security keys, and Windows Hello for Business are also supported, the Microsoft Authenticator app provides a good balance between security and convenience without a big investment in hardware. So, in this article, I’ll show you how to enable passwordless authentication with the Microsoft Authenticator app.
The ‘combined registration’ experience must be enabled in Azure AD (recently renamed Microsoft Entra ID) to use passwordless authentication. Combined registration brings together the registration experience for Azure MFA and self-service password reset. Beginning August 15th 2020, all new Azure AD tenants are automatically opted in for combined registration. But if you have an Azure AD tenant that was provisioned before that date, you’ll need to enable it manually.
You can enable combined registration by logging in to Azure AD using a global administrator account.
Optionally, you can click Selected and then pick a group of users instead of enabling combined registration for all users in the directory.
Users must register the Microsoft Authenticator app as an authentication method before they can use passwordless sign-in. If users have already registered Microsoft Authenticator for use with multifactor authenticator, they won’t need to reregister the app for use with passwordless sign-in.
You can enable multifactor authentication for users, either individually or in bulk, in the Microsoft 365 admin portal. For detailed instructions on how to set up multifactor authentication, see Enable Multi-Factor Authentication for Office 365 Users on Petri. Regardless of whether users are setup for passwordless sign-in, multifactor authentication should still be enabled and enforced to protect passwords.
If users need to add Microsoft Authenticator as an authentication method, they can do it here on the My Sign-ins page. Users will need to click Security info in the list of options on the left, click + Add method on the Security info screen, and then follow the on-screen instructions. Users can also choose ‘Microsoft Authenticator – notification’ as the default sign-in method.
Now that all the prerequisites are in place, you can enable passwordless sign-in for users in your Azure AD tenant.
Alternatively, you can set TARGET to Select users and enable passwordless sign-in for a group instead of all users in the directory.
Once your Azure AD tenant is set up for passwordless sign-in, users must set up the feature using the Microsoft Authenticator app. It’s worth noting that passwordless sign-in via the Microsoft Authenticator app can only be configured for one account at a time on a device.
Passwordless sign-in should now be enabled for the account. You can click the account again in the list of accounts to check that ‘Passwordless enabled’ is displayed on the account screen.
Once passwordless authentication is enabled in your tenant, users have the option to switch when it’s convenient for them. Users can also set up their work or school account directly in the Microsoft Authenticator app, although it works best if users have at least one multifactor authentication factor registered in advance or have a Temporary Access Pass. Temporary Access Pass is a new feature, currently in public preview, that provides a time-limited code for setting up and recovering passwordless credentials.
Now it’s hit general availability, there are lots of improvements to passwordless authentication that were missing at the start of the preview in July 2019. Admins can now see and delete passwordless methods on the User blade in the Azure admin center. Registration and usage information for all authentication methods are also visible in the Authentication methods activity blade.
And finally, Windows Hello for Business is brought more closely into authentication methods management. Users and admins can see Windows Hello for Business-capable devices at the security info registration portal and the Azure portal User blade. Windows Hello for Business registration and usage is also captured in reporting.