Enable Password-less Authentication For Azure AD WebApps

What’s up, everyone!

In this post I’ll take a look at password-less authentication. We can optimize the user experience and increase security at the same time if we enable passwordless authentication. 

What Is Password-less Authentication

There are a couple of password-less authentication scenario’s and you might even be using one of them. Here are some examples;

  • You can sign-in to an assigned computer using biometric recognition or PIN. These options work for security keys and Windows Hello for Business.
  • You can sign-in from a shared Windows 10 or 11 device using biometric recognition or PIN using security keys.
  • You can sign-in to webapps from a dedicated computer using Phone Authentication, security keys and Windows Hello for Business, as long as SSO is enabled for the last two options.
  • You can sign-in to webapps from a mobile device using mobile authentication
Let’s take a look at enabling and configuring password-less sign-in for webapps.

Prerequisites

Microsoft has the following prerequisites;

  • The latest version of the Microsoft Authenticator app
  • For Android devices; The Microsoft Authenticator app must be registered to an individual user.
  • For iOS devices; the device must be registered with each tenant where it’s used to login.
  • The admin account used needs at least Authentication Policy Administrator rights.
It’s recommended to use Azure AD MFA with push notifications allowed as a verification method. 

Configure Azure AD Authentication Methods

Login to the Azure portal and go to Azure AD, Security, Authentication Methods, Policies.

By default all of the options will be set to No. Click on the Microsoft Authenticator policy to configure this policy.

Slide the Enable button to YES to enable Passwordless sign-in using the Microsoft Authenticator. 

You can device if you want to enable this feature for your entire organization of just a select few. Since Passwordless login is a very secure way to login, it’s a good idea if you enable it for your organisation at some point. But you can also gradually implement this policy by scoping it to one or more user objects or one or more security groups.

I created a group named Sec – Passwordless Signin and added some members to the group. 

Notice that there are three dots next to the registration field. If you click that icon, you can choose to configure more settings or discard the changes. 

We get three options in the authentication mode dropbox box. Make sure this is set to Any or Passwordless. If it’s set to Push you actually prevent passwordless signin.

In my demo I went with Any and saved the policy. 

Saving the policy might actually fail if you are adding too many user objects or groups. The workaround here is to add a single group and hit save again. 

Configure The Microsoft Authenticator

We need to make sure that the Microsoft Authenticator app is setup for our users. 

There are a couple of ways to do this, here are some URL’s our users can use to setup the Microsoft Authenticator:

  • https://aka.ms/mysecurityinfo
  • https://aka.ms/mfasetup
If the Microsoft Authenticator is setup correctly, it should look something like this:

Open the account in the Microsoft Authenticator and select the Enable Phone Sign-In. Authenticate to configure password-less sign-in. The status should change to Passwordless Sign-In enabled.

Demo

Let’s take a look what passwordless login looks like for our users by logging into the Information Worker Portal (Windows 365 portal).

Login to https://windows365.microsoft.com. Enter the email address of the user and hit Next.

The next screen tells us to open the Microsoft Authenticator app and enter the number.

There should be a Microsoft Authenticator notification waiting for you on your phone.

The experience may differ depending if you are using an Android or iOS phone. My screenshots are made on an Android phone. I have seen images of the iOS experience which also shows the location where the request originates from.

We have three options, in this case I would simply enter the number 21 and hit Yes.

Dutch version

The login process continues on your Cloud PC:

We can now login to our webapps without entering our password. It’s also possible to configure a password-less option to log into Windows. Check the What Is The Password-less Authentication section for a supported scenario.

Resources

Leave a Reply

Your email address will not be published. Required fields are marked *