Users can now authenticate to Azure AD without a password via the Microsoft Authenticator App. The technology has been available for personal Microsoft accounts for around a year and has finally made its way to the corporate world.
Before users can start using the feature however an Azure AD change is required to enable the functionality. Currently this must be configured via PowerShell.
As the solution is currently in Preview the AzureADPreview module is needed. This can be a bit fiddly so its best to Uninstall both the AzureAD module and AzureADPreview module (if already installed) first
1. Uninstall-Module -Name AzureAD
2. Uninstall-Module -Name AzureADPreview
Then install the AzureADPreview module (Install-Module -Name AzureADPreview)
Next run the following commands:
1. Connect-AzureAD (The account must either be a Security Administrator or Global Administrator)
2. New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn
The feature can be deactivated at any time by running:
1. Connect-AzureAD (The account must either be a Security Administrator or Global Administrator)
2. Get-AzureADPolicy
3. Remove-AzureADPolicy -Id *ID*.
Now users will be able to choose the “Enable phone sign-in” option from the authenticator app and start authenticating without a password.
