The best password is the password that is not needed. Statistics show that the more often you have to change the password, the more insecure it becomes. Users write down the password or simply count it up. How about a possibility that is secure but does not require a password. In this blog I want to show you how easy it is to enable passwordless authentication for your organization.

What is passwordless authentication

Passwordless authentication is a method where a user does not have to enter a password when logging in to authenticate to windows or other Microsoft services. Azure supports the following services for passwordless authentication:

• WhfB (Windows Hallo for business
• Fido2
• Authenticator app

The easiest way is to use WhfB. But this only works if the logged in user is also the one accessing services. Administrators usually have their own privileged account with which they do not log in to windows, but use it to access Intune or other services.

You can see in this picture that password less provides a good convenient and a high security.

In this blog I will show you how you can allow passwordless authentication with help of the authenticator app.

How does it work

1. The user is asked to authenticate himself and enters his username
2. Azure AD detects that the user has strong credentials and starts the Strong Credential flow.
3. Via a push notification service using the APNS (iOS) or FCM (android) a notification will be send to the device of the user
4. The user gets the notification and opens the authenticator app
5. The app calls Azure AD and receives a proof-of-presence challenge and nonce.
6. The user unlock the private key via a authentication via pin or biometric
7. The nonce will be signed with the private key and send to the AAD
8. AAD validate the private / public key and returns the token

New Microsoft Managed options

If the status of the feature is set to “Microsoft-managed”, Microsoft will activate it at an appropriate time after the preview period. Thus, this feature is managed by MS that have not been explicitly disabled by an administrator.

• Require number matching for push notification
  • A number is displayed that you must then enter in the app

• Show application name in push and passwordless notification
  • You see the app name in my case OfficeHome for office.com
• Show geographic location in push and passwordless notification
  • You see a map where the authentication request come from

How to activate passwordless authentication

• Open the Azure Ad in the Browser
• Navigate to Security

• Navigate to Authentication methods > Policies
• Select Microsoft Authenticator

• Enable the Option
• Select as Authentication mode Passwordless
• Click Configure

• Here you find some new options (descripted above)
• Click Save

How to activate passwordless authentication

• Open https://aka.ms/mysecurityinfo
• Click +Add sign-in method
• Select Authenticator app
• Click Next

• Download the Authenticator App on your Smartphone
• Click Next

• Click Next

• Scan the code with the App
• Click Next

• Select “Activate Login per Phone“
• Follow the Steps

How does the authentication flow look like

• The user open a page like office.com
• The user enter his email / upn
• The user gets a number displayed which he has to enter in the authenticator app

Get the configuration via MS Graph

• Open the Graph Explorer
• Add the Policy.ReadAll permissions

• Execute an get call: https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator