The Microsoft Authenticator app can be used to sign into any Azure AD account without using a password. Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric. Windows Hello for Business uses a similar technology.
This authentication technology can be used on any device platform, including mobile. This technology can also be used with any app or website that integrates with Microsoft Authentication Libraries.
People who enabled phone sign-in from the Microsoft Authenticator app see a message that asks them to tap a number in their app. No username or password is asked for. To complete the sign-in process in the app, a user must next take the following actions:
- Type the number they see on the login screen into the Microsoft Authenticator app dialog.
- Choose Yes.
- Provide their PIN or biometric
To use passwordless phone sign-in with the Microsoft Authenticator app, the following prerequisites must be met:
- Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications, so a user has a backup sign-in method even if their device doesn't have connectivity.
- Latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater, or Android 6.0 or greater.
- The device on which the Microsoft Authenticator app is installed must be registered within the Azure AD tenant to an individual user.
Azure AD lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use. The Microsoft Authenticator authentication method policy manages both the traditional push MFA method, as well as the passwordless authentication method.
To enable the authentication method for passwordless phone sign-in, complete the following steps:
- Sign in to the Azure portal with an authentication policy administrator
- Search for and select Azure Active Directory, then browse to Security > Authentication methods > Policies.
- Under Microsoft Authenticator, choose the following options:
- Enable- Yes or No
- Target- All users or Select users
- Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change this, for each row:
- Browse to ... > Configure.
- For Authentication mode – choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
- To apply the new policy, click Save.
Setup the Microsoft Authenticator App
Users register themselves for the passwordless authentication method of Azure AD by using the following steps:
- Browse to https://aka.ms/mysecurityinfo.
- Sign in, then click Add method > Authenticator app > Add to add the Authenticator app as a sign in method.
- Follow the instructions to install and configure the Microsoft Authenticator app on your device.
- Select Done to complete Authenticator configuration.
- In Microsoft Authenticator, choose Enable phone sign-in from the drop-down menu for the account registered.
- Follow the instructions in the app to finish registering the account for passwordless phone sign-in.
A user can start to utilize passwordless sign-in after all the following actions are completed:
- An admin has enabled the user's tenant.
- The user has updated their Microsoft Authenticator app to enable phone sign-in.
The first time a user starts the phone sign-in process, the user performs the following steps:
- Enters their name at the sign-in page.
- Selects Next.
- If necessary, selects Other ways to sign in.
- Selects Approve a request on my Microsoft Authenticator app.
The user is then presented with a number. The app prompts the user to authenticate by typing the appropriate number, instead of by entering a password.
After the user has utilized passwordless phone sign-in, the app continues to guide the user through this method. However, the user will see the option to choose another method.
Was this article helpful?
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
We appreciate your effort and will try to fix the article