Azure Microsoft 365

Azure Active Directory and Passwordless authentication

The ultimate goal for every organization is to remove the use of passwords as part of sign-in events. Passwords are not natural to humans. This makes them a burden for every user which results to usage of weak passwords, same password on multiple systems, write down passwords on notes or change the expired password with just one character change. This are just some of the few reasons that make the passwords weak form of authentication.

Is Multi Factor Authentication (MFA) the solution?

Yes, it is a valid solution to implement Multi Factor Authentication (MFA) along with the need of password change over period of time. MFA protects accounts and data providing additional factor for security be it your phone authenticator app, SMS (which is not recommended) or more advanced TOTP based security key. Todays cloud first approach demands better protection in Internet. The cloud is open to for access from everywhere which differs from the traditional closed down and protected enterprise environments.

What is the solution?

Passwordless authentication is the way to go. Unfortunately we are not completely there yet but we can do a lot to use passwords as rarely as possible. Each organization has different needs when it comes to authentication. I will make a series of posts detailing the following three passwordless authentication options by Microsoft that integrate with Azure Active Directory (Azure AD):

This are all the possible scenarios:

  • Administrators can enable passwordless authentication methods for their tenant
  • Administrators can target all users or select users/groups within their tenant for each method
  • End users can register and manage these passwordless authentication methods in their account portal
  • End users can sign in with these passwordless authentication methods
    • Microsoft Authenticator App: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 Out Of Box (OOBE) setup, and with integrated mobile apps on any operating system.
    • Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge).

Use the following table to choose which method will support your requirements and users.

PersonScenarioEnvironmentPasswordless technology
AdminSecure access to a device for management tasksAssigned Windows 10 deviceWindows Hello for Business
FIDO2 security key
Microsoft Authenticator app
AdminManagement tasks on non-Windows devicesMobile or non-windows deviceMicrosoft Authenticator app
EmployeeProductivity workAssigned Windows 10 deviceWindows Hello for Business
FIDO2 security key
Microsoft Authenticator app
EmployeeProductivity workMobile or non-windows deviceMicrosoft Authenticator app
Frontline workerKiosks in a factory, plant, retail, or data entryShared Windows 10 devicesFIDO2 Security keys
Microsoft Authenticator app
Mladen Georgiev
My name is Mladen Georgiev. My passion is new technology. I help companies in their efforts to transition to the Microsoft cloud. Security is one of my main focuses and I always strive to keep the balance between usability and protection. Always connected way of work presents new challenges which demand new modern approach to keep up with security threads. With this blog I want to share useful tips for making IT pro life easier and guides that help overcome real world challenges.

Leave a Reply

Your email address will not be published. Required fields are marked *