Since we already use Azure Multi-Factor Authentication (MFA) for our Office 365 tenant and are familiar with Microsoft’s Authenticator app, taking it a step further and trying out Azure’s preview feature of passwordless sign-in wasn’t a big step.
You need to fulfill the following general prerequisites to get started:
- Azure Multi-Factor Authentication with push notifications allowed as a verification method.
- The latest version of Microsoft Authenticator installed on iOS 8 or greater, respectively Android 6 or greater.
Azure MFA, as I stated, has already been in use and we also use Microsoft’s app in most cases.
So far, we didn’t have to do anything to get started. But since the passwordless sign-in using Microsoft’s app is only in preview, and depends on another feature, we needed to enable those first.
Enabling combined security registration
First, we take care of the Feature Combined security information registration for Azure Multi-Factor Authentication and Azure Active Directory (Azure AD) self-service password reset. In tenants that are older than about half a year, users had to register their security information (cell phone number, authenticator app, etc.) separately for MFA and self-service password reset. This new feature combines these into one single place. This is how it works:
- In the Azure Portal, go to Azure Active Directory -> User settings -> Manage settings for access panel preview features.
- Enable the setting Users can use the combined security information registration experience for a selected group of users, or for all users.
Enabling passwordless sign-in as the end-user
In the Azure portal:
- Go to Azure Active Directory -> Security -> Authentication methods -> Authentication method policy (preview).
- Enable the setting Passwordless phone sign-in for all users or select users.
- Don’t forget to save.
Enabling passwordless sign-in as the end user
If you don’t already use the authenticator app:
- Browse to https://aka.ms/mysecurityinfo
- Sign in, add the authenticator app by clicking Add method, choosing Authenticator app, and clicking Add.
- Follow the on-screen instructions.
- Click Done to complete the setup.
If you already have the app, just these following steps are necessary:
- In Microsoft Authenticator, choose Enable phone sign-in from the drop-down menu of your account.
- Follow the in-app instructions.
After finishing the setup, the login experience will look like this, when you try to log in:
Passwordless sign-in with Azure and the Microsoft Authenticator app is still in preview. We have had it enabled in our tenant for several months now, but it still hasn’t been implemented in all areas through Microsoft’s multiple online services. It still happens a lot that somewhere you have to enter your password to access a service. But when it happens that you only need to push the right button in the Authenticator app, without entering a password, it’s a very convenient and quick way to sign in. We hope that this feature will be released officially soon and will work for all services across all devices.