Passwordless Authentication with Microsoft Authenticator

Share This Post

Many people have already discovered the Microsoft Authenticator App and are using it to approve or deny multi-factor authentication requests. However the Microsoft Authenticator App can also be used for Passwordless Authentication which increases security and provides a better sign-in experience for end-users. Passwordless Authentication with the Microsoft Authenticator app is just one way of reducing our dependency on passwords. Read my blog post on Getting Started with Passwordless Authentication for an introduction to passwordless methods and why all organizations should have this on their roadmap for the future.

Contents

Requirements

  • Azure AD Multi-Factor Authentication enabled and configured.
  • Push Notifications must be enabled as a verification method.
  • Combined Registration Experience must be enabled.
  • Latest version of Microsoft Authenticator app.
  • IOS or Android device registered in Azure AD.

Enable Combined Security Information Registration

The first step is to make sure that Combined Security Information Registration is enabled in the tenant. By enabling this feature users do not have to register their security information multiple times for multiple services. For example the security information that a user provides for Multi-Factor Authentication (MFA) can be automatically used for Self-Service Password Reset (SSPR).

  1. From the Azure AD blade select User Settings.
  2. At the bottom select Manage User Feature Settings.
  3. Make sure that the Users can use the combined security information registration experience is set to All as in the picture below.
Combined Security Information Registration in Azure AD

Now that the Combined Security Information Registration feature is enabled we can enable FIDO2 Security Keys as an Authentication Method in Azure AD.

Enable Microsoft Authenticator Authentication Method

In order to use the Microsoft Authenticator passwordless option the authentication method must be enabled in Azure AD. Note that this authentication method does not prevent the use of the authenticator app regardless if the

  1. From the Azure AD blade select Security.
  2. Next select Authentication Methods.
  3. Select Microsoft Authenticator and click Enable.
  4. Save the settings.
Authentication Methods in Azure AD to support Passwordless Authentication with Microsoft Authenticator

Install Microsoft Authenticator

If you have already setup Microsoft Authenticator and you are already approving notifications for Multi-Factor Authentication then proceed directly to the Device Registration step.

  1. Open the Security Info page on the users profile.
  2. Click Add Method.
  3. Select Authenticator App from the dropdown list.
  4. Download the Microsoft Authenticator from the AppStore or Google Play
  5. Open the Microsoft Authenticator App and click the + sign to add a new account.
  6. Select Work or School account.
  7. Scan the QR code provided to automatically add the account.
  8. Microsoft will send the Microsoft Authenticator App a notification, approve the request.
  9. Microsoft Authenticator has now been added.

Device Registration

In order for Microsoft Authenticator to be used as a passwordless option, the mobile device needs to be registered to Azure AD. Device Registration is not the same as mobile device management (MDM) and does not provide the organization with any control or management capabilities on the mobile device. Device Registration simply associates a device to a specific user, since a device can only be registered to a single tenant we are limited to a single account that can be used for Passwordless Authentication with the Microsoft Authenticator app.

  1. Open Settings in the Microsoft Authenticator App.
  2. Select Device Registration
  3. Enter your email address and click Register Device
  4. Return to the main menu and select the account we added previously
  5. Select Enable Phone Sign-in.
Enable Passwordless Authentication with Microsoft Authenticator
  1. If the mobile device has been correctly registered to the organization, and a passcode/Touch ID/Face ID is set both checkmarks should appear. If any steps are missing the Authenticator app will attempt to resolve those issues prior to registering.
Passwordless Authentication with Microsoft Authenticator requires Device Registration and a Passcode.

Our mobile device has now been configured for Passwordless Authentication through the Microsoft Authenticator App. We can now do a test to verify that everything works as expected.

Sign-in Using Passwordless Authentication

  1. Open a new Incognito/In-private window on your PC browser.
  2. Browse to any Microsoft 365 service such as https://portal.office.com.
  3. Enter your Username (email address).
  4. If required select Use an App Instead.
  5. In the Microsoft Authenticator select the corresponding number that is displayed on the screen.
  6. You are now signed-in.
Passwordless Authentication with Microsoft Authenticator end-user example.

Want To See More?
Azure AD

Access Reviews with On-Premise Groups

In some of my earlier post I have talked about Access Reviews that are part of the Identity Governance tools in Azure AD. One of

Fredrik May 15, 2022
Azure

Access Reviews: Manage Guest Users

Azure AD’s B2B (Business to Business) functionality allows organizations to invite external users into their organization so that they can collaborate. However, very few of

Fredrik March 22, 2022