Close Menu
    Trending

    Password-less phone sign-in with Microsoft Authenticator App

    10
    By on Enterprise Mobility, Identity and Access

    Two weeks ago, at Microsoft Ignite in Orlando, Microsoft announced the public preview of Password-less phone sign-in. We enabled this feature right after the session in our company tenant, and we have all been super excited about this cool way of signing in. One big step closer to a more secure and password less world.

    This blog post will explain how to configure password-less phone sign-in and how to enable this feature for your users. Please note that this is still a pre-release feature.

    Prepare the Tenant

    First we need to install the latest version the of Azure Active Directory V2 Preview PowerShell Module. This can be done by running the following PowerShell command:

    Install-Module -Name AzureADPreview

    clip_image002

    Please note that the AzureAD Preview Module might need to be updated, if your already have an older version installed.

    clip_image004

    When the Azure AD Preview Module is up to date, you can connect to your Azure AD, with the following command.

    Connect-AzureAD

    If you are connecting to a customer tenant and want to enable this with your own B2B account, you need to specify the TenantId and you must be either Security Administrator or Global Administrator.

    Connect-AzureAD -TenantId ronnipedersen.onmicrosoft.com

    clip_image006

    clip_image008

    When connected to the tenant you need to configure, you just need to run the following command:

    New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

    clip_image010

    That’s it… You have now enabled phone sign-in for all users in the Tenant.

    Enable phone sign-in for users

    For the public preview, there is no way (that I know of) to enforce users to create or use this new credential.

    End users will only encounter password-less sign-in once the user has updated their Microsoft Authenticator App to enable phone sign-in.

    Important: This capability has been in the app since March of 2017, so there is a possibility that when the policy is enabled for a tenant, users may encounter this flow immediately. Be aware and prepare your users for this change.

    Pre-requirements

    • Enroll Azure Multi-Factor Authentication.
    • User the latest version of Microsoft Authenticator for iOS 8.0 or Android.

    More information on how to get started with the Microsoft Authenticator app:
    https://docs.microsoft.com/en-us/azure/active-directory/user-help/microsoft-authenticator-app-how-to

    When the Microsoft Authenticator App is configured and working as expected, users must perform the following steps to enable Password-Less Phone sign-in:

    Go to the Accounts screen of the app, select the drop-down arrow for your work or school account, and then select Enable phone sign-in.

    clip_image012

    One of the prerequisites, is that the device is registered within the Azure AD tenant, to an individual user. Due to device registration restrictions, a device can only be registered in a single tenant. Basically, this means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.

    Click Continue to register the device.

    clip_image014

    You will get prompted to sign-in…

    clip_image016

    And then you will get prompted to register the device.

    clip_image018

    When the device registration process is complete, you are ready to sign-in without using a password.

    End User Experience

    To test this just sign in to your work or school account, as normal (If required use a private browser).

    Type your username and click Next.

    clip_image020

    You should then see a page with a two-digit number, asking you to approve the sign-in through the Microsoft Authenticator app. If you don’t want to use this sign in method, you can always select “Use your password instead”.

    clip_image022

    In the Microsoft Authentication app, you’ll get a notification asking you to Approve sign-in.

    clip_image024

    Tap the same number you see on the Approve sign-in screen. Use your phone’s PIN or your biometric key to complete the authentication.

    That’s it… You are now one step closer to a more secure and password-less world!

    Learn More

    If you want to learn more about Getting to world without password, you can see the full session from Microsoft Ignite 2018 right here:

    Download the Slide Deck:
    https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3031.pptx

    /Enjoy

    +Ronni Pedersen

    My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

    Related Posts

    10 Comments

    1. Pingback: Azure Weekly: October 15, 2018 – Build Azure

    2. Casper on

      Hi Ronni

      Do you have any experience in how we can handle having multiple accounts in the authenticator? I set it up on one of my accounts and now I can’t set it up on the rest because it says my device is registred with another organisation? It is actually the same organisation, but different domains on the same tenant.

      Regards Casper

      Reply
      • Ronni Pedersen on

        Hi Casper,

        One of the prerequisites, is that the device is registered within the Azure AD tenant, to an “individual user”. Due to device registration restrictions, a device can only be registered in a single tenant. Basically, this means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.

        This might change in the future, but for now you can only add one account.

        /Ronni

        Reply
    3. Mathieu Aït Azzouzene on

      Hi Ronni,

      Thanks a lot for this article.
      I configured the phone sign-in in my tenant and my authenticator app but it only wotks the first time I log in, I have to type my password if I reboot or lock my laptop. I completely disabled Hello for Business, just in case, but it still doesn’t work.
      Is there any step I’m missing?

      Reply
    4. spencer chiu on

      I tried to follow you guide above however i am running into an error enabling the policy.
      New-AzureADPolicy : Error occurred while executing NewPolicy
      Code: Request_BadRequest
      Message: Property has an invalid value.
      InnerError:
      RequestId: 3df40991-b3a8-4823-b414-6324bfb0fc3c
      DateTimeStamp: Fri, 26 Oct 2018 03:33:06 GMT
      HttpStatusCode: BadRequest
      HttpStatusDescription: Bad Request
      HttpResponseStatus: Completed
      At line:1 char:1
      + New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“A …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [New-AzureADPolicy], ApiException
      + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
      Policy

      Any thoughts why I cant enable it? i’m logged in as global administrator btw, Thank you

      Reply
    5. DOnal on

      Spencer,
      The reason that you get the error is that if you copy and paste the command from the website the single and double quotes are interpreted wrongly. You need to replace with ‘ and ” respectively.

      Ronni,
      Set this up and works as expected however I set up a conditional access rule for Exchange Online only and excluded trusted locations. It doesn’t appear to obey any of the conditions specified and applies to all web apps from all locations.
      Did you have the same experience ?

      Reply

    6. Pingback: enable phone sign in authenticator – datahowinfo

    Leave A Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.