Microsoft Authenticator Passwordless

Microsoft Authenticator Passwordless

Microsoft Authenticator Passwordless

Table of Contents

Now You Can Enable passwordless sign-in with the Microsoft Authenticator app

Microsoft Authenticator Passwordless – Azure AD accounts may be signed into using the Microsoft Authenticator app without the need for passwords. Key-based authentication enables a user credential that is attached to a device, such as a PIN or biometric, when the device is used. Windows Hello for Business use a similar kind of authentication.

Any device platform, including mobile, may be utilized with this kind of authentication. Apps and websites using Microsoft Authentication Libraries may also benefit from this technology.

It appears in the Microsoft Authenticator app for anyone who have activated phone sign-in. There is no need to provide a login or password. The following steps must be taken by the user in order to complete the app’s sign-in process:

  • The first step is to open the Microsoft Authenticator app and enter the number that appears on the login screen.
  • Secondly, Choose Approve.
  • Lastly, you need to provide a PIN or biometric data to verify their identity.

Mandatory Requirements

The Microsoft Authenticator app must meet the following requirements before you can utilize passwordless phone sign-in:


Using Azure AD PowerShell, you may activate Microsoft Authenticator passwordless sign-in for your whole directory. PowerShell policy will no longer apply if you use this new technique to enable. Users who are not in the new policy will no longer be able to sign in without a password until you activate it for them in the new Authentication Methods option.

Switching on Passwordless Authentication

Enable the combined registration experience before enabling passwordless authentication for users in Azure AD.

Enable the use of password-free phone sign-in authentication.

Signing in to Azure AD is made easier with the ability to choose which authentication methods are utilized. Then, users choose the techniques they want to utilize and sign up. In addition to the usual push MFA approach, Microsoft Authenticator now controls the passwordless authentication method.

Complete the following steps to activate the passwordless phone sign-in authentication method:

The Azure portal may be accessed by logging in with an administrator account.

After searching for and selecting Azure Active Directory, navigate to the appropriate section of the website: Security > Authentication methods > Policies.

Under Microsoft Authenticator, choose the following options:

Enable – Yes or No

Target – All users or Select users

Microsoft Authenticator push notifications and passwordless access are both enabled by default for each new group or user (“Any” mode). For each row, use the following command:       

a) Browse to > Configure.

b) For Authentication mode – choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.

To apply the new policy, select Save.

Management of Microsoft Authenticator user accounts

Using the following procedures, users may enroll in Azure AD’s passwordless authentication service.

  1. Browse to
  2. Sign in, then click Add method > Authenticator app > Add to add the Authenticator app.
  3. Follow the instructions to install and configure the Microsoft Authenticator app on your device.
  4. Select Done to complete Authenticator configuration.
  5. In Microsoft Authenticator, choose Enable phone sign-in from the drop-down menu for the account registered.
  6. Follow the instructions in the app to finish registering the account for passwordless phone sign-in.

An organization may instruct its users to use their phones to sign in, without requiring them to provide a username and password. See Sign in to your accounts using the Microsoft Authenticator app for more information on setting the app and enabling phone sign-in.


The Microsoft Authenticator app no longer allows users who aren’t permitted by policy to utilize phone sign-in to do so.

Sign in with passwordless credential

After the following steps are performed, a user may begin using passwordless sign-in.

It has been enabled by an administrator.
Phone sign-in is now possible once the user updated her Microsoft Authenticator app.

When a user begins the phone sign-in procedure for the first time, the user follows these instructions:

  1. When she gets to the sign-in screen, she typed in her name.
  2. Selects the following option.
    Select Other methods to sign in if required.
  3. Selects Activate my Microsoft Authenticator app.
  4. Afterwards, the user is shown a number. Instead of inputting a password, the software asks the user to provide the correct number.

After a user has used passwordless phone sign-in, the app continues to assist the user in this process. ” Although the user may choose a different technique, they will be presented with the choice.

Known Issues

Nott see a way to sign in using a phone without a password.
It’s possible for a user to have a passwordless phone sign-in verification that has not been replied. However, the user may try to re-enter their credentials. As a result, the user may only see a password entry field.

The following steps may be taken to address this problem:

Take a look at the Microsoft Authenticator application.
Respond to any alerts that may be sent.
Afterwards, the user may continue to use the passwordless phone sign-in option.

Federated Accounts

The Azure AD login procedure no longer uses the login hint when a user has enabled any passwordless credential. Because of this, the user’s path to a federated login site is no longer expedited.

Because of this rationale, hybrid tenant users aren’t often redirected by a system administrator to Active Directory Federation Services (AD FS). In spite of this, a user may still choose to utilize their password.

Azure MFA server

Using an on-premises Azure MFA server, an end user may be granted multifactor authentication (MFA). A single passwordless phone sign-in credential may still be created and used by the user.

Attempting to update more than five Microsoft Authenticator apps with the passwordless phone sign-in credential may result in an error.

Registering a Device

There are a few things you need to do before you can get your hands on this new certificate. In order for Microsoft Authenticator to work, the device on which it is installed has to be linked to a specific user in Azure Active Directory (AD).

A single renter may currently register a gadget. This implies that just one work or school account may be activated for phone sign-in in the Microsoft Authenticator app.