Salaam, Namaste, Ola and Hello!
Happy New Year to everyone! This is the first blog post of hopefully many in 2021. I have a lot of topics that i will be covering on both here and my YouTube Channel (Check it out if you prefer video content – https://youtube.com/iamitgeek )
Today’s blog post is a bit of a walk-through around setting up Passwordless sign-in with Azure MFA as it is something I recently needed to setup and had a few issues when following the online Microsoft Docs ( https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone ). The main issue I had, and only realised once I got it working, was that there some assumptions that the document makes and it does not really explain correctly in my opinion. In this post I will explain the process I went through so hopefully it helps someone else who may have similar difficulties to what I originally had.
The first step was to create a security group in the Azure AD tenant and add the relevant users for whom I wanted the Passwordless sign-in to apply to. Once this was completed, I needed to confirm that I enabled the ‘combined registration experience’. I did this be going to the Azure Ad tenant > User Settings > User Feature Preview and clicking on ‘Manage user feature preview settings’ (as seen below).
On the User Feature Previews screen I enabled ‘Users can use the combined security information registration experience’ and selected the security group I created earlier rather than enabling it for all users (as shown below).
Once this was configured, I moved on to enabling the relevant authentication method, which in my case was the Microsoft Authenticator method. To do this, I went back to my Azure AD Tenant > Security > Authentication Methods. On the Authentication Methods screen I selected ‘Policy’ > and selected the ‘Microsoft Authenticator (preview) option. I proceeded to enable this, and targeted the security group I created earlier. Finally I selected the ‘…’ next to the registration option to configure some additional items (as shown below).
Click on the … and then select ‘Configure’. This will allow you to set the ‘Authentication Mode’ where you will need to select ‘Passwordless’ (as shown below).
Once completed, click on done, and then ensure you save the changes in the Authentication methods screen. I then went ahead and checked a few settings to ensure my Multi-Factor Authentication setup had the correct settings. I went back to the Azure AD tenant main page > Users and selected Multi-Factor Authentication in the top menu (as shown below).
The first item I checked was to ensure the users in question had MFA enabled and set to ‘Enforced’ or ‘Enabled’ (as seen below).
In my case it was ‘Test.User1@iamitgeek.com’ (I know original right?) who was part of the security group that I wanted the Passwordless configuration to apply to. I then wanted to ensure my MFA configuration had the correct verification option for ‘Notification through mobile app’ enabled within the ‘Service Settings’ (as shown below)
As you can see I decided to only enable the mobile app notifications as in my scenario I had no need for txt or phone verification so I disabled them to increase security. The next step was to open a web browser and login to https://aka.ms/mysecurityinfo with my test.user1 credentials. Once logged in I went to ‘Security Info’ and added Microsoft Authenticator as a sign-in method (as shown below).
Once this was added I then followed steps to login with my test.user1 account for the first time. For this part you just need to follow the instructions you get on screen. Ensure you have the Microsoft Authenticator App installed on your smart phone before you get to this point!
Once MFA was registered there was one further step I followed to ensure this was setup correctly. In the Microsoft Authenticator app nd enable phone sign-in on the test.user1 account (as shown below).
First click on the account in the Authenticator app as shown above. Then click on ‘Enable phone sign-in.
In the second image it shows disable in my example as I had already enabled it, however you should see ‘Enable phone sign-in’. This will prompt you to login with the relevant credentials and you should now be ready for Passwordless authentication.
The user experience will be that when you enter your username into the Microsoft 365 portal, rather than be prompted for a password, you will go to the screen shown below.
Once the above message appears you will see a prompt on your mobile device that has 3 different numbers. You will need to click on the number that corresponds with the one you see on your login screen (in my case 95). As you can see, you do have the option to sue a password, if for any reason you do not have your mobile phone device with you, you can select this and enter your password instead of using the Microsoft Authenticator App!
Hope you find this helpful, if you would like any more information feel free to tweet me @shabazdarr or ask a question in the comments section below! Until next time, ‘IamITGeek’ over and out!