Password less Sign in to Azure with Authenticator App

Cybersecurity is the central challenge of our digital age. Without it, everything from our personal email accounts and privacy to the way we do business, and all types of critical infrastructure, are under threat. As attackers evolve, staying ahead of these threats is getting harder. As part of cyber attacks, the very first attempt by any attacker is to get into user account by penetrating user credentials. To stay ahead of ongoing cyber security challenges, Microsoft is ending the era of password. This year at Ignite Conference, Microsoft announced password less login to Azure AD.

Password-less Phone sign in with Microsoft Authenticator app can be used to sign in to any Azure AD account without using a password just like the way we sign in to Windows Hello for Business.

Microsoft Authenticator app leverage key based authentication to enable a user credential that is associated to a device and uses biometric or PIN.

To leverage password less sign in to Azure with authenticator app, the device where you create this new, strong credentials must be registered within the Azure AD tenant to an individual user. Due to device registration restrictions, a device can only be registered in a single tenant. This limit means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.

Setting up Password Less Sign in to Azure with Authenticator App

To setup password less Sign-in to Azure with Authenticator app, perform the following steps for your tenant.

  • Install latest version of AzureAD Preview module by running the following PowerShell cmdlet.

Install-Module -Name AzureADPreview

Password less Sign in to Azure with Authenticator App

  • Connect Azure AD using “Security Administrator” or “Global Administrator” account.

Connect-AzureAD

Password less Sign in to Azure with Authenticator App

  • Run the following cmdlet to configure password-less sign in to Azure using Authenticator App.

New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

Password less Sign in to Azure with Authenticator App

There is no way to enforce users to create or use this new credential. An end user will only encounter password-less sign-in once an admin has enabled their tenant and the user has updated their Microsoft Authenticator app to enable phone sign-in.

End User Experience

Once the users are setup with password less sign in, when they go to portal.office.com and after typing username, they will see a page with a two-digit number, asking them to approve the sign-in through the Microsoft Authenticator app. If they don’t want to use this sign in method, they can select Use your password instead, and sign in using their password.

Password less Sign in to Azure with Authenticator App

One thing to notice is that the user needs to have either biometric or passcode setup on their device to have password less login to work.


Also published on Medium.

Leave a Reply

Your email address will not be published. Required fields are marked *