Is that possible to have registered "Microsoft Authenticator App - Push Notification" take over as the default 1st factor authentication?

Woody Chiu at RASI 191 Reputation points
2024-04-09T01:18:00.57+00:00

Let me start with some background first.

We are migrating 142 Samsung Tab A from Google WorkSpace MDM to Microsoft Intune. I am testing the user experience from wiping a tablet to when the tablet is enrolled in Intune.

Here is the procedure going to be:

  1. Wipe the tablet to reset to factory default using the Google WorkSpace MDM Admin portal.
  2. Users follow the PowerPoint Show to set up their tablets.

All 142 user accounts have been set with the MFA sign-in method (Microsoft Authenticator App), Windows Hello for Business Passwordless sign-in methods such as PIN and FIDO Security Key (YubiKey touch) have been set up on one office Windows 11 machine for each user. That has been working fine no problem. Users sign in to that office machine by PIN + FIDO security key.

Back to the tablet. I will issue a TAP (Temporary Access Pass) for the user to complete the tablet setup first. Once the tablet setup is done, the tablet will be enrolled with Intune, no more with Google WorkSpace MDM.

The TAP lasts for 4 hours only. Here is my question.

The user password was not used to authenticate the user on the tablet because the tablet was set up via a TAP.

Is it possible to set up the user account to prompt for the respective Microsoft Authenticator App's sign-in approval rather than prompting for the user password after the TAP expires?

Or, is that not possible until the user password has been used at least once to authenticate the user's sign-in on the tablet?

Am I making myself clear?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,515 questions
Microsoft Intune Android
Microsoft Intune Android
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Android: An open-source mobile platform based on the Linux kernel, developed by Google, and maintained by the Open Handset Alliance.
238 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,355 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,532 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh 4,775 Reputation points Microsoft Vendor
    2024-04-12T07:47:40.87+00:00

    Hi @Woody Chiu at RASI

    Thank you for reaching out to the community forum!

    I understand that you would like to know the possibility to set up the user account to prompt for the respective Microsoft Authenticator App's sign-in approval rather than prompting for the user password after the TAP expires.

    To answer your question, after the TAP expires, the user will need to authenticate with their password at least once to set up the Microsoft Authenticator App's sign-in approval on the tablet.

    Once a user has a valid Temporary Access Pass (TAP), they can use it to sign in and register security information, including setting up passwordless phone sign-in directly from the Microsoft Authenticator app.

    After the TAP is used to set up the tablet and enroll it with Intune, the user should be able to continue using the Microsoft Authenticator app for sign-in without needing to use their password.

    Here TAP work as a bridge to enable passwordless authentication methods, and once these methods are registered and set up, the user should not be required to revert to using a password for authentication.

    In general, the Temporary Access Pass (TAP) should allow for the setup of passwordless methods without the need for a password. Please ensure that the TAP policy is configured in your organization to allow users to sign in with a TAP and onboard other passwordless authentication, because organization policies can override these defaults and require users to use a password for authentication.

    Reference: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/secure-authentication-method-provisioning-with-temporary-access/ba-p/3290631

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-phone

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.