Skip to content

Passwordless Authentication

Published by Andreas Rogge on 12. September 2021

Last updated on 9. October 2022

General

Often, I see Microsoft 365 Tenant configurations I miss the passwordless sign-in option. This option is according to Microsoft the best option for security and usability. If you want to get to the Microsoft documentation see this link: Authentication methods and features – Azure Active Directory | Microsoft Docs

Microsoft ranging authentication methods

As you can see in the picture above the method with Windows Hello, Authenticator (not Push) and a FIDO2 security key are the best methods. In the tutorial we want to get into the configuration of the Authenticator and FIDO2 passwordless authentication.

Prerequisites

There are some important prerequisites that must be met so that users can enable and use passwordless:

First, I check with one of my test accounts which sign-in methods I have available. So, I navigate to My Sign-Ins (microsoft.com) and click on “Add method”. I can see that I can choose Authenticator app and Phone.

With my administrative account I log into the Azure Active Directory:

Then I will navigate to the Security part of AAD:

I will choose “Authentication methods”:

Now I have an overview of all possible methods and the activation state:

Microsoft Authenticator

Like I said to the beginning we want to configure FIDO2 Security Key and the Authenticator. Let us start with the last and choose “Microsoft Authenticator”. In the configuration page we enable this setting. If you want to activate this feature only for specific users or groups, you can choose this at the bottom. You are also able to force passwordless or push authentication if you press on the three buttons on the top right where you choose the Users/Groups. Do not forget to save your configuration!

FIDO2 security key

For my test I have a YubiKey 5 NFC that I want to register with my test account. So, I go to the correct settings page. On the Basics settings page I just enable this feature and on the Configure site I let the default settings. With these, users can configure the security keys themself.

User configuration

So, with both settings enabled I switch back to my test user and see what I can configure for now. At first, I want to configure my security key and follow the configuration pop-ups like you can see in the pictures.

Unfortunately, I have no mobile phone at hand to register with my test user so I cannot document this for now. As soon as I can evaluate it, I will put an update here.

If you have any questions feel free to leave a comment below.

Published inAADM365Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *