Microsoft Authenticator Password less Authentication

Microsoft are consistently adding new features to Microsoft Authenticator, which have been very well received by organizations that use their cloud services. One of the new features that Microsoft has released is a feature called ‘Password less’

A lot of my pharmaceutical and financial customers love this feature as it improves their security posture. This blog will provide a high level guide on how to enable ‘Password less’

1:The following technical steps describe how to set up password less authentication. To successfully roll out password less in any organization, I would recommend running a pilot, with the IT department and some additional departments, when the pilot phase has successfully come to conclusion, and all feedback from the pilot users has been addressed and remediated, the next step, is a production roll out.

2:When logged into Azure Active Directory, browse to user settings \ user features \ manage external collaboration settings. This feature may be automatically enabled if it is a new M365 tenant

3:Select All in the ‘Users can use the combined security information registration experience

4:It is also possible to use the Microsoft Graph to manage users’ authentication methods to enforce global policies for large organizations’ which will reduce help desk calls and can accelerate the roll out of this new authentication method.

5:Users must register the Microsoft Authenticator app as an authentication method before they can use password less sign-in. If users have already registered Microsoft Authenticator for use with multifactor authenticator, they won’t need to re-register the app for use with password less sign-in.

I always provide easy to follow user guides with screenshots for my customers and my customer’s IT department or communications department to submit to their users’ well in advance of going live with the new password less authentication method.

6:A really important step is to enforce MFA registration policy which is a component of Azure Identity Protection. MFA registration policy is a feature of Azure Active Directory Premium Plan 2 – Identity Protection.

Not all customers can afford the additional cost of Azure Active Directory Plan 2, M365 E5 or M365 A5. An alternative to using Azure Active Directory  Plan 2 is Azure Active Directory Plan 1, Which can be configured to use conditional access policies to enforce the user to register their security information, if they have not signed in previously or before, the new conditional access policies have been applied.

7:In the Azure Portal select Authentication methods in the Security section of Azure Active Directory.

8:Click Microsoft Authenticator in the list of methods.

9:Select a security group that contains your pilot users, When the pilot has successfully concluded, Then the password less configuration can be applied to ‘ALL users’

10:For a single user: Select the …

11:Then click config

12:For the end user and pilot users , they can browse to this location https://mysignins.microsoft.com/security-info  if the ICT admins of the M365 tenant have not already set up Microsoft Authenticator as the as the default sign in method, the end user can select Microsoft Authenticator as the default authentication method.

13:Select Passwordless

14: Next step is to sign into https://aka.ms/mfasetup

15:Set up Microsoft Authenticator

16: Continue setup

17:Within the Microsoft Authenticator application, select add a Work or School account and choose the option to ‘Scan the QR code’

18:The next step is to hit continue as per image below

19:So how does password less work, when an end user wants to authenticate a six digit code is sent to the Microsoft Authenticator application, and the end user must enter the six digit code, and then authenticate via bio metric thumb print or pattern.

20:The end user may receive the error displayed below, if they have multiple organizations’ set up with MFA hosted on their Microsoft Authenticator application. Like myself working in IT, I have many customers registered in my Microsoft Authenticator application.

21:Didier Van Hoye describes the issue perfectly in his blog post

22:In a green field site, Password less is a very well received as a new method of authentication and to protect organizations’ identity. It takes end users a little bit of time to become familiar with password less authentication, but once they are familiar with this authentication method, they find it a lot easier than traditional passwords and it improves an organizations’ security posture.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s