Today in this blog post, let us check out the Azure AD Passwordless Phone sign-in method with the Microsoft Authenticator app.
Table of Contents
What’s the Buzz with Passwordless
As Microsoft GA released Passwordless authentication in Azure AD in its Ignite March 2021 event, today in this blog post, let us have a look into the different passwordless authentication offerings that are made available to the users.
Microsoft’s passwordless offerings with Azure AD gives you three options to cover the use-cases of different authentication types (computer sign-in or web sign-in) to suit the different types of roles expected to be found in an organization, as shown below.
Hardware Based | Software Based | Platform Based |
FIDO2 Security Keys | Phone Sign-in with Microsoft Authenticator app | Windows Hello for Business |
If you have not read it yet, my previous blog post talked about the benefits of going Passwordless and why this particular development in Identity and Access management has remained a top buzzword since 2019. Give it a read!
Requirements for Azure AD Passwordless Phone sign-in with MS Authenticator App
To test and implement passwordless authentication in the environment, you must have
- a pilot group created to contain users who will be testing the passwordless deployment.
- a minimum of Azure AD Premium P1 license assigned to the pilot users be able to use MFA and SSPR.
- the pilot users should already be registered for Azure AD MFA to start using passwordless auth methods.
Further, at tenant level, you need to
- enable combined registration for Azure AD Multi-Factor Authentication and self-service password reset (SSPR)
All the new tenants that are created on or after Aug 15, 2020 are already provisioned with the new experience feature enabled.
For tenants provisioned before the mentioned date, in the AAD portal, when you navigate to Security > Authentication methods, you should see the notification as highlighted below.
Click on the notification and you will be taken to this screen. You can safely enable the “combined experience” for All Users.
As a note, you can also enable this “combined experience” from User settings using the highlighted option.
Enable Passwordless Authentication methods in Azure AD
In the Azure AD portal, Security > Authentication method is the hub to control Passwordless auth policies.
Here you will see, we have options for
- FIDO2 Security Key which is hardware-based
- Microsoft Authenticator which is software-based
- Text message (in preview), and finally
- Temporary Access Pass (in preview)
Temporary Access Pass is a short-lived authentication method that actually serves the purpose to enable users’ log in to my https://mysignins.microsoft.com/security-info without an actual password, and register for any of the strong authentication methods (including passwordless). It is especially useful in a fully passwordless environment for new users or existing users with the need to register a new auth method.
Do check out my posts on Azure AD Temporary Access Pass to know about it and how you can generate TAP using MS Graph API and Powershell for bulk action.
You won’t notice the Windows Hello option here as it is platform-specific and is controlled/configured from a different location.
Enable Microsoft Authenticator Authentication method policy
From the list of available passwordless authentication methods from Security > Authentication method,
- Select the Microsoft Authenticator method,
- Set the policy to Enabled state, and finally
- Select the Group that contains your pilot users.
Click on the 3 horizontal dots, then click on Configure to reveal the context menu from where you can set the type of Microsoft Authenticator auth method the users will be enabled for, either
- Passwordless-only auth method, or
- Push, or
- Any (passwordless sign-in + app push notification)
Here I have, gone with the default which is Any.
Note that users configured to use passwordless-only auth need to use the Microsoft Authenticator in-app registration and won’t be able to register the auth method from My Security info.
Till this, the configuration items, as shown above, are the responsibility of the IT Admin to configure for the end-users. Whatever follows are the actions that are required from the end-user side to enable and start using the Passwordless sign-in method.
Register Microsoft Authenticator app for Passwordless Phone sign-in via MySecurity Info
The user needs to sign in to https://aka.ms/mysecurityinfo and from there use the Add method option to add Authenticator app as an authentication method.
The user is provided with a guided wizard to add and configure the auth method which begins with instructing the user to download and install the Microsoft Authenticator app on the user mobile. The wizard starts by asking the user to download and install the Microsoft Authenticator app. Click Next.
Note that there is also an option to use a different authenticator app but that works for 2FA and not for Passwordless sign-in.
The wizard then prompts the user with how to add an account in the Authenticator app. Click Next.
The wizard now displays a QR code that the user needs to scan with the Microsoft Authenticator app to add the account.
If the user is using Microsoft Authenticator app for the first time, launching the app should mostly present the user with the screen as shown below. The user has the option to Scan the QR code to add an account.
If the user is already using the Microsoft Authenticator app for sign-in purposes with personal account, then within the Authenticator app, user needs to click on the Add symbol to add another account and choose account type as Work or School to get the Scan QR code option to add account.
As user scans the QR code with the Authenticator app, the account will get added to the app. The wizard automatically sends out a Push notification to approve sign-in on the Microsoft Authenticator app to confirm the account setup.
As user approves the sign-in notification, the process gets completed.
If the user approves the sign-in notification within the session timeout, the wizard shows the notification has been approved. The user can click on Next to exit the wizard.
This completes the addition of the work account to the Microsoft Authenticator app on the device.
The authentication method also gets added to the user profile and can be managed from the MySecurity Info as usual.
Enable Microsoft Authenticator app for Passwordless Phone sign-in
The user now needs to enable Passwordless phone sign-in within the organization (work) account added in the Microsoft Authenticator app.
As the user goes inside the work account in the Authenticator app, there is an option present to Enable phone sign-in. The user needs to tap on the same. The app will now show the two pre-requisites to enable phone sign-in
- Device registration
- Device lock [If you already have a device passcode set, this will be marked green]
User needs to tap on continue to perform the device registration.
User will be asked to sign-in. Post successful auth, user gets the option to Register device.
Upon successful registration, the device gets enabled for passwordless sign-in.
Note in MySecurity Info as well, the icon for Microsoft Authenticator auth method gets changed from the 2FA to Passwordless.
Passwordless Phone sign-in – User Experience
After the user registers the Microsoft Authenticator app and sets it up for passwordless phone sign-in, when the user tries to sign in to any of the M365 services, after providing the UPN, on the password screen, there will be a new sign-in option present – Use an app instead.
When the user clicks on the app sign-in option, it triggers a push to the Authenticator App on the device registered and enabled for Passwordless.
On the registered device, the user needs to select the number that is displayed on the sign-in page in the Authenticator app to approve the sign-in request.
As the user selects the correct number from the options, the sign-in request gets approved and the user completes the authentication successfully.
From now onwards, any sign-in will automatically trigger a Push to the Authenticator app for the user to approve the sign-in, without requiring to enter a password for the sign-in activity. If for any reason, the passwordless auth method cannot be used, the user gets the option to switch back to using a password instead.
How the sign-in works is already documented here.
Wrap Up
Initially, it might seem daunting to configure passwordless sign-in. But once you understand where all the configuration ‘bits’ are, it’s quite easy to manage. Also, passwordless sign-in provides a better user experience and more security over the traditional password based authentication, including 2FA.
More Information