Today i was busy hardening my Office 365 Security and i came to the topic about Password-less sign-in. I have heard this at some recent events like Experts Live and Ignite. So it was time to configure this in my private Office 365 tenant.

What is Password-less sign-in

Password-less sign-in is a different way of login in to Azure AD. You will sign in with a number picker instead of a old school password. As you all know Microsoft thinks old school passwords are not safe anymore. And logically this is true. Because a Password is just a set of characters If you take a common password like “Welcome123!@” then these are al characters and there is no difference in character between a capital W or a symbol like @. The only difficulty you can create is the length but if someone want to crack that, then that will just be a matter of time until it is cracked.

How does it work

How does password-less sign-in work. This new method allows you to completely replace your password with a number match on yourAzure Authenticator app as the first factor together with your biometric like Touch ID for the 2nd factor to complete the sign-in. This 2-way communication with the identity provider (IdP), in this case, Azure AD, makes the phone itself a strong credential and a password is no longer required because we have the number challenge.

I think this way of authentication combined with Windows hello for business is where safe authentication is heading to.

Configuration

To start configuring Password-less sign in We should start up Powershell. I used the cloud based version of Powershell from Azure AD.

When pressing this button in Azure AD a Cloud shell will start “you need a storage account for this”.

When the cloud shell is started it is time to configure the password-less sign-in.

Type or copy the following command. And no worries you will only make the option available besides the other authentication methods.

New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

When this is done you have configured Password-less sign in. And it is time to try it out. Make sure you test it first to some pilot users. The impact can be high but you wont lock anyone out.

Issues

There are still some issue due this functionality is still in preview. The current issues are regarding.

• ADFS integrated with Azure AD
• Azure MFA
• Only one device registration is possible

For more info check here for the Microsoft docs. Also check out my other blogs