Passwordless Sign-in Azure AD

Multifactor Authentication (MFA) can be used to make login more secure. In addition to MFA, passwordless sign-in becomes increasingly popular lately. Using passwordless sign-in, a password is not required at the time of logging into, for example, the Microsoft Online services. Passwordless sign-in ensures that the password is replaced by notifications that are received and approved via a mobile phone or by using FIDO2 keys. It is therefore not necessary to remember passwords and the use of passwordless sign-in makes logging in very easy and above all more secure.

Recently, the Microsoft authenticator app has been expanded with the passwordless sign-in functionality. This means that during the process of logging in, a push notification appears on the phone showing several numbers. The user must then select the correct number displayed on the phone which corresponds to the number presented on the login screen.

In this blog I describe the configuration of passwordless sign-in via the Microsoft Authenticator app in Azure AD and the associated user experience.

In the past it was only possible to activate passwordless sign-in via PowerShell. However, from the beginning of August 2019 it is also possible to do this via the Azure portal. Both options are described in this blog post.

Note:    At the time of writing, passwordless sign-in for Azure AD is still a preview functionality, which means that the functionality is available for test purposes and proof-of-concept scenarios.

Prerequisites

Prior to starting the passwordless sign-in via the Microsoft Authenticator app in Azure AD, the following steps should be taken:

• Install the latest version of the Microsoft Authenticator app on a phone. At the time of writing, this is version 6.3.13. When using an iOS device, it should be made sure that the iOS device is at least on iOS 8.0 and Android devices the version to be used should be at least 6.0.
• The Microsoft Authenticator push notifications must be enabled.
• The phone must be registered in Azure Active Directory (Azure AD).
• The user must have the correct license, such as Enterprise Mobility + Security E3.

Method 1:

Activate passwordless sign-in via PowerShell

The steps to activate passwordless sign-in via PowerShell include the following:

• Start PowerShell as an administrator.
• Install the AzureADPreview module: “Install-Module -Name AzureADPreview”
• Connect to Azure AD and login in with a global admin account: “Connect -AzureAD”
• After authentication run “New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName       AuthenticatorAppSignIn” as shown in figure 1.

Figure 1. Output of enabling passwordless sign-in via PowerShell.

Method 2:

Activate passwordless sign-in via the Azure Portal

The steps to activate passwordless sign-in via the Azure Portal include the following:

• Sign into the Azure portal -> https://portal.azure.com
• Go to Azure Active Directory -> Authentication methods (figure 2).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 2. Authentication methods in Azure AD.

• Click on -> Authentication method policy (Preview)
• Select Microsoft Authenticator passwordless sign-in.
• Select Enable -> Yes
• Target -> All users or Select Users.
• Hit Save to save the policy (figure 3).

Figure 3. Configuring passwordless sign-in in Azure AD.

Passwordless sign-in is now successfully configured and active. Next, the Microsoft Autenticator app should be configured.

Configure the Microsoft Authenticator app

The steps to configure the Microsoft Authenticator app include the following:

• Open the Autenticator app on the phone, in this case this is an iPhone.
• Select the account relevant for activating passwordless sign-in and click on the arrow on the right, please see figure 4.

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 4. Activating passwordless sign-in via the Authenticator app.

• Click on “Enable phone sign-in”.
• If the prerequisites are followed, the phone is already registered in Azure AD. Click on “Continue” (figure 5).

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 5. Configuring the Authenticator app for passwordless sign-in.

• Select “Approve”. The phone is now ready to use passwordless sign-in (figure 6).

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 6. Notification to finalize the configuration of passwordless sign-in in the Authenticator app.

Passwordless sign-in User Experience

The steps below demonstrate the end-user experience when logging into Microsoft Online using passwordless sign-in.

• Start an internet browser and go to: https://portal.office.com (figure 7).

Figure 7. Login screen for portal.office.com.

• Type in the user account name and click on “Next”.
• Instead of asking to enter a password, a code will appear (figure 8).

Figure 8. Notification for authentication when using passwordless sign-in.

• At this time, the Authenticator app will also give a notification with the same code, please see figure 9. When the correct code is selected, the authentication process will be continued, and the user is logged in.

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 9. Notification in the Authenticator app, when using passwordless sign-in.

That’s all! Now the passwordless sign-in can be used in combination with the Microsoft Authenticator app. In my next blog I will describe the configuration and use of FIDO2 Keys. -> Passwordless Sign-In Azure AD with FIDO2