I recently enabled password-less authentication for our Azure tenant. A number of our staff already used the Authenticator app for MFA sign-in so it made sense to make the move to password-less!
If you’re thinking of enabling it – I can confirm – it’s brilliant! but keep in mind it’s still in public preview.
However I did hit a few snags along the way but got there in the end with some sterling help from the Microsoft Authenticator team – thanks guys! I thought I would blog about the issues I encountered along the way in case anyone else comes across them too. The documentation is going to be updated though so keep an eye out for that.
I set-up password-less using the official Microsoft guide (this is the one I imagine will be updated) and ran the PowerShell cmdlet to configure the Azure AD policy.
At this point, to use password-less auth, your users need to register their IOS/Android devices with your Azure AD (if they haven’t already). At this point, for some of our staff device registration failed and we got a ‘Something went wrong’ error in the app (see screenshot below). FYI this is the first of two errors so skip this bit if device registration works fine for your users.
To troubleshoot the issue, I had a look at the Sign-in history in the User Details blade for the specific users in question. There were a number of failed sign-ins which were caused by us reaching the configured limit for the maximum number of devices that can be joined per user (screenshot of config setting below). Thankfully this one was an easy fix!
After fixing the above, device registration worked fine through the app.
After registering the device, the next step was to enable the additional notifications required for password-less MFA within the app. This can either be done straight away through the ‘Upgrade your account’ push notification or later via the menu for the particular account using the ‘Update phone sign-in’ option. Until this step is done, the user will not receive notifications in the app to approve sign-ins and will have to use the ‘Check for notifications option.
When enabling the additional notifications, we came across the next issue – another ‘something went wrong’ error 🙁
After trying out a bunch of things including disabling MFA completely and starting again, I got in touch with some of the Microsoft Authenticator team on Twitter – huge shout out to Libby (@TruBluDevil) and Ed Lu!
It turns out that two applications need to be ‘enabled’ in the ‘Enterprise applications’ blade within Azure AD (screenshot below shows the option you need to switch to ‘Yes’). These are –
- Azure Multi-Factor Auth Client
- Azure Multi-Factor Auth Connector
Once these two apps are enabled for user sign-in, enabling the notifications within the app should complete successfully and password-less MFA should be fully working (at least it was for us and I hope it works for all of you too!).
Again a huge thanks to the Authenticator team for helping me resolve this!
I for one am really enjoying not having to enter my O365 password anymore!