Password-less phone sign-in with the Microsoft Authenticator app (public preview)

The Microsoft Authenticator app can be used to sign in to any Azure AD account without using a password. Similar to the technology of Windows Hello for Business, the Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device and uses a biometric or PIN.

Example of a browser sign-in asking for user to approve the sign-in attempt in their Microsoft Authenticator app

Instead of seeing a prompt for a password after entering a username, a person who has enabled phone sign-in in the Microsoft Authenticator app will see a message telling them to tap a number in their app. In the app, the user must match the number, choose Approve, then provide their PIN or biometric, then the authentication will complete.

Enable my users

For public preview, an admin must first add a policy via powershell to allow use of the credential in the tenant. Review the "Known Issues” section before taking this step.

Tenant prerequisites

  • Azure Active Directory
  • End users enabled for Azure Multi-Factor Authentication
  • Users can register their devices

Steps to enable

  1. Install the public preview release of the Azure Active Directory V2 PowerShell Module.
  2. In PowerShell, run two commands:
    1. Connect-AzureAD
      1. In the authentication dialog, sign in with an account in the tenant. The account must either be a Security Administrator or Global Administrator.
    2. New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

How do my end users enable phone sign-in?

For public preview, there is no way to enforce users to create or use this new credential. An end user will only encounter password-less sign-in once an admin as enabled their tenant and the user has updated their Microsoft Authenticator app to enable phone sign-in.

Note

This capability has been in the app since March of 2017, so there is a possibility that when the policy is enabled for a tenant, users may encounter this flow immediately. Be aware and prepare your users for this change.

  1. Enroll in Azure Multi-Factor Authentication
  2. Latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater, or Android 6.0 or greater.
  3. Work or school account with push notifications added to the app. End-user documentation can be found at https://aka.ms/authappstart.

Once the user has the MFA account with push notifications set up in the Microsoft Authenticator app, they can follow the steps in the article Sign in with your phone, not your password to complete the phone sign-in registration.

Known Issues

AD FS Integration

When a user has enabled the Microsoft Authenticator password-less credential, authentication for that user will always default to sending a notification for approval. This logic prevents users in a hybrid tenant from being directed to ADFS for sign-in verification without the user taking an additional step to click “Use your password instead.” This process will also bypass any on-premises Conditional Access policies, and Pass-through authentication flows. The exception to this process is if a login_hint is specified, a user will be auto-forwarded to AD FS, and bypass the option to use the password-less credential.

Azure MFA server

End users who are enabled for MFA through an organization’s on-premises Azure MFA server can still create and use a single password-less phone sign-in credential. If the user attempts to upgrade multiple installations (5+) of the Microsoft Authenticator with the credential, this change may result in an error.

Device Registration

One of the prerequisites to create this new, strong credential, is that the device where it resides is registered within the Azure AD tenant, to an individual user. Due to device registration restrictions, a device can only be registered in a single tenant. This limit means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.

Next steps

Learn about device registration

Learn about Azure Multi-Factor Authentication