Number matching and passwordless phone sign-in. I was used to it for a couple of months already because this feature was previously launched for personal Microsoft accounts like Outlook or Hotmail. It’s now available (preview) in Azure AD to use with your work or school account.
When this feature is enabled, users are asked to match the number in the sign-in screen with the number in the Authenticator app. After that, the user needs to authenticate through PIN or biometric like fingerprint or face-ID to complete the authentication flow.
Your tenant must be enabled for MFA with push notifications through the Microsoft Authenticator app in order to use this method. Also, make sure the combined registration portal is enabled.
To enable the passwordless feature with number matching, access the MFA additional settings portal (the very ugly one) and check if the Authenticator app push notification is checked.
To use this passwordless feature, your phone needs to be Azure AD registered (not MDM). If the user is eligible for passwordless sign-in, the feature can be enabled in the Authenticator app.
Make sure that the user has configured the default sign-in method to Microsoft Authenticator – notification. This can be done via https://aka.ms/mfasetup
Enable passwordless sign-in
To enable the authentication method for passwordless phone sign-in, complete the following steps:
- Sign in to the Azure portal with a global administrator account.
- Search for and select Azure Active Directory, then browse to Security > Authentication methods > Policies.
- Under Microsoft Authenticator (preview), choose the following options:
- Enable – Yes or No
- Target – All users or Select users
- Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes (“Any” mode). To change this, for each row:
- Browse to … > Configure.
- For Authentication mode – Any, Passwordless, or Push
- To apply the new policy, select Save.
Experience – first time
The first time a user starts the phone sign-in process, the user performs the following steps:
1. Enters the username on the sign-in page.
2. Selects Next.
3. If necessary, select “Other ways to sign in“, or “use an app instead“
4. Selects Approve a request on my Microsoft Authenticator app.
5. The user is then presented with a number. The app prompts the user to authenticate by selecting the appropriate number, instead of by entering a password.
Experience after the first time
When the user has signed-in using the new passwordless method, the next time this method is used automatically. The user can then switch to a password if needed. Check out this short video to see what the experience is like:
Get started with this new feature today! You can enable this for just a couple of users, or for your entire organization. Your users will love it! The full documentation can be found here:
Passwordless sign-in with the Microsoft Authenticator app – Azure Active Directory | Microsoft Docs
Pingback: [m365weekly] #24 - M365 Weekly Newsletter
Thank you for sharing indeed great looking !
When users change sign-in method to username and password, this is remembered. Meaning it will stay that way until the user changes back to Number Matching MFA. How can we enforce that Number Matching will always be the choice for the user?
Good question. Take a look at Authentication Strengths, now in preview. https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths
Here you can enforce a specific method, for example, passwordless phone sign-in.