Understanding Windows 10 and Microsoft 365 Passwordless Sign-In – Petri.com

Understanding Windows 10 and Microsoft 365 Passwordless Sign-In – Petri.com

Learn how to maximize your Microsoft teams investment and bring world class calling into your Teams app today.
Watch this webinar to learn about 10 powerful best practices that you can start using right away!
Ransomware is a problem that everyone has but no one wants to talk about publicly. These are lessons learned from 1,200 victims.
Passwords are a pain and they are also a security risk. Microsoft has been trying to persuade IT, professionals and consumers, to do away with passwords in recent years. Social engineering techniques, like phishing and malware, make passwords vulnerable. Around 80 percent of successful attacks originate from compromised passwords.
Users also make passwords less secure by choosing passwords that are easy to guess and that can be hacked in dictionary attacks. Moreover, it’s common that people use the same password across multiple devices and services, increasing the damage if a password compromised. Multifactor authentication (MFA) helps protect passwords but it has a low adoption rate.
Microsoft’s answer to these security problems is passwordless authentication. With passwordless sign-in, passwords are replaced by something you have, like a security key, plus something you are or know. Something you are might be a biometric gesture like a fingerprint. Something you know might be a PIN.
If you read through Microsoft’s documentation on passwordless sign-in, it refers mainly to Azure Active Directory (Azure AD). Azure AD is the identity management platform used by Microsoft 365, Office 365, and of course Azure. To add to the complexity, Microsoft supports three different passwordless technologies in Azure AD and Windows 10:
Designed for users that have a designated Windows 10 device, Windows Hello uses the PC itself as the ‘something you have’. Windows Hello can be used to sign in to Windows 10 and it also provides single sign-on (SSO) to services like Microsoft 365.
For devices that don’t have a built-in biometric device, like a fingerprint scanner, a PIN can be used. While PINs might not seem to offer an advantage over passwords, unlike passwords, Windows Hello PINs can only be used on the device where they are registered.
If you log in to Windows 10 using a Microsoft account and have Windows Hello set up, you can access Microsoft services, like Outlook.com, in supported browsers using Windows Hello.
 
You will be required to enter a PIN or use a biometric gesture to complete the sign-in.
To use Windows Hello for Business with Microsoft 365, you must first sign in to Windows 10 using Windows Hello with your work or school account. To log in to Windows 10 from the lock screen using a work or school account, the device must be Azure AD joined. Once logged in, single sign-on works with Microsoft 365, so there’s no need to enter a password or confirm your identity again using a PIN or biometric gesture.
For more information on joining Windows 10 to an Azure Active Directory domain, see Join Windows 10 to Azure Active Directory During OOBE on Petri. It is also possible to join, or connect in Microsoft’s terminology, a Windows 10 device to Azure AD in the Settings app.
Users with accounts registered for MFA will likely be familiar with the Microsoft Authenticator app or similar solutions like Google Authenticator. But the Microsoft Authenticator app can also be used for passwordless authentication in Microsoft 365.
Unlike Windows Hello, the Microsoft Authenticator app is a good solution for passwordless sign-in where users share PCs. The app runs on iOS 8.0 or later, and Android 6.0 or later. Microsoft Authenticator app passwordless authentication isn’t enabled in Azure AD by default.
If Microsoft Authenticator app passwordless is setup, after entering a username to log in to Microsoft 365, the user gets a message displaying a number that they must tap in the Authenticator app on their mobile device. To complete sign-in, the user must click Approve and provide a PIN or biometric gesture.
 
Before evaluating the Microsoft Authenticator app as a passwordless sign-in solution, your Azure AD tenant must have Azure MFA with push notifications enabled as a verification method. Azure AD MFA requires a premium Azure AD subscription.
If users that share PCs don’t want to or can’t use their mobile phones with the Microsoft Authenticator app, security keys are a hardware alternative. Security keys usually come in the form of small USB devices and they provide stronger security than software passwordless solutions like the Microsoft Authenticator app. Keys from manufacturers such as Yubico and Feitian are FIDO2 compatible and work with Azure AD, so allow passwordless sign-in to Microsoft 365.
Some security keys also support NFC so that they can be used with mobile devices. And a few can be used with Windows Hello. But using a security key with Windows Hello usually requires extra software to be installed on the Windows 10 device.
To sign in to a service like Microsoft 365 using a security key, the key must be plugged into a USB port on the Windows 10 device. Alternatively, if the key supports NFC, an NFC reader can be used. There is usually a touchpad or sensor on the device that the user must tap to complete a passwordless sign-in. Some keys replace the sensor with a fingerprint reader to further improve security.
Before you can use a FIDO2 security key to sign in to Microsoft 365, FIDO2 security key sign-in must be enabled in Azure AD. FIDO2 Microsoft-compliant security keys are supported for passwordless login in the Windows 10 May 2019 Update and later. A supported browser is required, like Microsoft Edge. Users can register compatible security keys without any help from IT.
The Windows 10 May 2020 Update (version 2004) supports signing in using FIDO2 security keys to devices that are hybrid joined to Azure AD. Hybrid-joined devices are joined to a Windows Server Active Directory (AD) domain and registered, not joined, to Azure AD. Using security keys with AD requires making some changes to extend AD’s Kerberos realm to Azure Active Directory.
In the rest of this series, I will look at each of the three passwordless sign-in options in more detail, starting with Windows Hello.
Related Article:
Last Update: Nov 09, 2022
Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years’ experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early…
Nov 10, 2023
Nov 09, 2023
Create a free account today to participate in forum conversations, comment on posts and more.
Our sponsor help us keep our knowledge base free.
Active Directory is an essential part of Windows Server. It allows IT pros to manage computer resources on the network. In this guide, we’ll show you how to install Active Directory Users and Computers and the basics of working with it so you can manage Active Directory. Active Directory Users and Computers (ADUC) is built…
Last Update: Jun 15, 2023
The “trust relationship between this workstation and the primary domain failed” error means that the computer cannot access a network because it is offline, or that it has lost its membership to the Active Directory (AD) domain. This guide will help you understand what’s happening behind the scenes when this error occurs, and we’ll go…
Last Update: Jun 15, 2023
Whether you’re a PowerShell pro or just starting out, it’s useful to know how to check your PowerShell version. We’ll explain how to do that in this guide. How to check your PowerShell version Let’s quickly check the version of PowerShell installed on your device: For more details on the different ways to check the…
Last Update: Jun 15, 2023
Download this eBook to dive deeper into the main factors that influence Microsoft Teams calling quality, how to use the native Microsoft Teams call quality tools and how you can augment them with simple-to-use and clear dashboards that give you quick access to the key metrics.
Monitor, manage, and secure your IT infrastructure with enterprise-grade solutions built from the ground up.
At Object First, we believe in a world where data is safe and secure, and straightforward to implement and manage, releasing you from the burden of complex data management. We launched Object First to provide the best immutable Backup solution designed explicitly for Veeam using Object-based storage.
Create a free account today to participate in forum conversations, comment on posts and more.

source