How to Configure Passwordless Sign-in with Microsoft Authenticator on Android & iOS with Multiple User Registration[Entra ID Top New Feature 2024]

 

How to Configure Passwordless Sign-in with Microsoft Authenticator

Why Passwordless

Implementing features such as multifactor authentication (MFA) can significantly enhance the security of your organization. However, users commonly experience frustration when faced with an additional security layer in addition to remembering their passwords. Passwordless authentication methods offer a more convenient alternative by eliminating the need for passwords and instead utilizing something you have, are, or know for authentication.

Authentication

Something you have

Something you are or know

Passwordless

Windows 10 Device,Phone, or Security key

Biometric or PIN


Custom Authentication Needs

Every organization has unique requirements for authentication. Microsoft Entra Identity provides a range of five passwordless authentication options to cater to these diverse needs.
  • Microsoft Authenticator
  • Windows Hello for Business
  • Certificate-based authentication
  • Passkeys (FIDO2)
  • Platform Credential for macOS
  • Platform single sign-on (PSSO) for macOS with smart card authentication

Configure Passwordless with Microsoft Authenticator

Microsoft Authenticator allows users to access their Microsoft Entra accounts without the need for a password. Leveraging key-based authentication, this tool links user credentials to a specific device, which can be unlocked using a PIN or biometric verification. Similar technology is also utilized by Windows Hello for Business.

This authentication method is compatible across various device platforms, including mobile devices. Additionally, it can seamlessly integrate with any application or website that supports Microsoft Authentication Libraries.

Prerequisites

To use passwordless phone sign-in with Microsoft Authenticator, the following requirements are needed:

Required: Microsoft Entra multifactor authentication with push notifications enabled as a verification method. Push notifications on your smartphone or tablet add an extra layer of security to your accounts and help prevent unauthorized access. The Authenticator app will automatically generate codes with push notifications enabled, ensuring access even without connectivity.
  • Ensure the latest version of Microsoft Authenticator is installed on iOS or Android devices.
  • For iOS & Android devices, registration with each tenant where sign-in occurs is necessary.
  • On April 2024 Microsoft has Introduced a Top new Feature to support Multiple user account registration from a single device.                                                                    
You can enable passwordless phone sign-in for multiple accounts in Microsoft Authenticator on any supported Android or iOS device. Consultants, students, and others with multiple accounts in Microsoft Entra ID can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same device.

The Microsoft Entra accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-ins from one device.
Read More Microsoft Article :Microsoft Passwordless 

To enable the authentication method for passwordless phone sign-in, complete the following steps:

Sign in to the Microsoft Entra Admin portal , Click on Protection Tab

Protection > Authentication methods > Policies.

Microsoft Entra ID Authentication Methods
Under Microsoft Authenticator, choose the following options:
  • Enable - Yes
  • Target – In our case we are going to select for All Users
Microsoft Authenticator Settings

Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes (Any mode). To change the mode, for each row for Authentication mode - choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
Microsoft Authenticator Modes
If required you can customize the Authenticator options (Optional)
Here we can enable Authenticator OTP support as mentioned below screenshot
Authenticator OTP Settings
We can control Show application name, geographic location in push and passwordless notifications as mentioned below.
Microsoft Authenticator Show application name, geographic location settings

The Microsoft Authenticator on Companion Application (Authenticator Lite) option is available within Entra ID to bypass the need of an extra application for the Multi-factor authentication process. As you may know, lots of people are using the Microsoft Outlook mobile app already on their device. For these users, with the Authenticator Lite feature, the 
Microsoft Authenticator now isn’t a main requirement anymore. So, Microsoft is helping us to reduce mobile apps on end users’ devices and to make it’s easier to register for Multi-Factor authentication and get more accounts protected in Entra ID.

This Authenticator Lite feature can be controlled using the below settings

Microsoft Authenticator on Companion Application Settings

Enable Passwordless Options for Microsoft Authenticator 

To activate Passwordless options in Microsoft Authenticator, follow these steps:
  • Launch the Microsoft Authenticator app on your mobile device.
  • Select the account you wish to enable Passwordless Authentication for.
  • Configure the Passwordless feature on your Android mobile device, which is already set up for multi-factor authentication (MFA).
By following these instructions, you can easily set up Passwordless authentication in Microsoft Authenticator for enhanced security.

Now click on Setup Phone Sign in Option

Setup Phone Sign-in option in Authenticator App

Please ensure that Screen Lock settings are enabled before proceeding with the Device Registration Process.
Device Registration Process

Select Register Button and Proceed.
Register Device with Entra ID



Registration is complete. Please click the Finish button to finalize the process.
Finish Phone Registration
To assess Passwordless Authentication, sign in to the M365 Portal.
Navigate to Portal.office.com and input your user ID, then select Next.
M365 Portal Sign-in
To proceed to the next Password screen, choose the option to Use an app Instead (This option will be available if you have successfully completed the previous steps for your account).
M365 Portal Passwordless Sign-in

Upon selecting the Approve Sign in option with Number Matching, a push notification will be sent to your registered device prompting you to enter the corresponding number, along with the geographic location and the specific app used to access the application.
Approve Sign-in Prompt in Authenticator Application


Successfully signed in to M365 Portal using Passwordless method.
User Successfully Sign-in to M365 Portal


Looking forward:

Passwordless sign-in is the future of secure and convenient logins. By following this guide, you're at the forefront of this security advancement. Stay tuned for future updates on how to leverage passwordless sign-in with other applications and services.





Post a Comment

0 Comments