Onboarding a passwordless Azure AD user

Onboarding a passwordless Office 365 user, is that possible? That was the question I recently asked myself.

I’ve been using my Azure AD account without a password I guess for about a year now. I changed my password to something hard to remember and since then signed in to my Office 365 account without my password. For this to work, I registered some FIDO2 security keys and registered my account in the Microsoft Authenticator app (and turned on phone sign-in).

The combination of the use of security keys and the Authenticator app with phone sign-in allows me to sign in to Office on any platform I use. On Windows, I mostly use my security key and when authentication is needed in a mobile app I use the Authenticator app.

But I registered these passwordless authentication methods when I still used my password for sign-in, on my existing user account. I wondered if it is now really possible to create a new (Azure AD) user and have the user onboarded without providing the user’s password. I wondered how the experience is on different OS platforms and what the best experience is for the end user.

So I setup a new user in my tenant and started testing multiple scenarios.

Passwordless authentication methods

For Azure AD (Office 365) accounts we currently have passwordless authentication methods like FIDO2 security keys and passwordless phone sign-in.

The FIDO2 security keys are hardware keys, that come in different form-factors, from different vendors. They need to be connected to the device on which you authenticate, via USB, NFC or Bluetooth. FIDO2 makes use of a public/ private key pair for authentication.
In the top menu of this site under Security, you can find FIDO2-related blog posts which I wrote in the past.

Passwordless phone sign-in uses the Microsoft Authenticator app on a mobile phone. The app can be downloaded for free from the Google Play Store or the Apple app store.
Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric.

But we need to authenticate at least once before we are able as an end user to register these passwordless authentication methods. That’s where Temporary Access Pass (TAP) comes in.
A Temporary Access Pass is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods including passwordless methods such as Microsoft Authenticator, FIDO2 or Windows Hello for Business.

My test environment

To test this all out I used one of my lab environments, which is a cloud-only environment. The environment (and test user) is licensed with a Microsoft Enterprise Mobility + Security (EMS) E5 licenses but for the basic security setup, you should be fine with an Azure AD Premium P1 license. If you want to only allow compliant devices to access your data, you also need an Intune license to manage your devices. An EMS E3 license might be to license purchase for you.

I used a Windows 10 22H2 laptop, an Android 12 device, and a MacBook with macOS Montery.

The first thing I did was turn off the option for Self Service Password Reset in Azure AD for this user. I switch SSPR from All users to an AAD group from which the test user is not a member.
I think it would be strange to allow a passwordless user to get their hands on a password…..

The next thing I checked, was if the Authentication method policies were turned on for FIDO2 security keys, Microsoft Authenticator and Temporary Access Pass. The three authentication methods that support passwordless sign-in.

I wanted to set up a Conditional Access policy for the user action Register security information with the new Authentication strengths (which is in preview), to make sure only passwordless methods are used for registration and less secure MFA methods would be blocked. But I immediately got stuck during my first enrollment tests. I soon realized this authentication strength includes FIDO2, phone sign-in (and Windows Hello for Business), but it doesn’t include Temporary Access Pass.

Therefore I first created a custom authentication strengths profile with the same methods as the passwordless MFA profile, but with TAP as an additional authentication option.

Next, I set up a Conditional Access policy to require passwordless MFA for user action Register security information.

I set the grant control to Require authentication strengths and selected the custom profile.

Besides that, I created a CA policy for user action Register security information, to block access from not trusted countries. For this, I created a new countries location list with allowed countries from where it is allowed to register security information.
Another approach would be to create a list of allowed IP addresses (from your offices), to only allow registration when the user`s device is connected to the office network.

I selected the User action Register security information again.
Under Conditions, Locations I switched Configure to Yes. On the Include tab selected Any location and on the Exclude tab selected the Allowed countries list.

And on the Grant tab, I selected Block Access.

I created equal CA policies for the user action device join or registration, but could also have combined these.

The users are only allowed to access Office 365 applications using Compliant devices, therefor I created separate CA policies.

To sum up, my users are only allowed to access data using compliant devices. They are only allowed to register security information and do a device join or registration using passwordless MFA (including Temporary Access Pass). And this can only be done from countries that I added to the Trusted countries list, like The Netherlands.

Let’s see if I’m able to onboard my passwordless user on Windows, macOS and Android (sorry Apple fanboys and girls, I don’t have an iPhone present but if you want to send me one I’m happy to share my address with you 🙂 ).

Onboard the user on a Windows device with TAP (one-time use)

I’m first going to enroll my Windows device using Temporary Access Pass that I can use only one time.

I got a freshly installed Windows 10 22H2 device, in the OOBE screen to perform a Windows Autopilot enrollment.

A Temporary Access Pass is created, therefor when I hit next I’m asked to provide the TAP.

So far so good, the enrollment starts.

When the device is not rebooted during the enrollment, the user is signed in to the device. But I hit the setup of Windows Hello for Business that asks for Device registration that fails.

I can skip the setup for WHfB for now, so I’m logged on to the desktop.
But to sign in the next time to my device, I actually should have set up Windows Hello. Or I can register a FIDO2 security key via My Security Info.

Wrong! I’m asked for a password when I want to register a security key via that portal. I guess enrollment succeeded, but passwordless onboarding failed with a TAP that can only be used once.

When the device did reboot during enrollment, the sign-in page is shown.
If we configured the TAP to be used only one time, we would already have been stuck at the sign-in screen.

Onboard the user on a Windows device with TAP (multi use)

If we would have configured the TAP to be used multiple times, by default the user is still stuck on the sign-in screen when a reboot happens during enrollment. But we can enable web sign-in using Intune, which allows us to sign in to the Windows device using TAP.

On the sign-in screen, we have an additional option for web sign-in.

When we select this sign-in option a sort of browser screen is shown that allows us to sign in to the device with TAP.

And this also allows us to configure Windows Hello for Business.

As we can use the TAP multiple times.

As soon as we are signed in to the Windows devices, we can register our passwordless authentication methods via https://aka.ms/mysecurityinfo.

We can add a FIDO2 security key or the Microsoft Authenticator app.

Without using our TAP again, we can register a security key. But when we register the Authenticator app and enable phone sign-in, we need to provide our TAP again.

We could (should) delete the TAP as soon as other passwordless authentication methods are registered.

When it’s no problem to allow TAP to be used multiple times, onboarding is successful. And we can register other passwordless sign-in methods for later use.

Onboarding with a macOS device

Let’s also onboard a user by using a macOS device and Temporary Access Pass.
This does not enroll the device with a process like Windows Autopilot, but we need to install the Company Portal and register the device with that application.

We are asked for the Temporary Access Pass so we can sign in to the Company Portal.

We can start the enrollment.

And we can make the device compliant. The enrollment of a macOS device can be done using TAP one-time use.

When we made sure SSO is implemented with Intune for apps like Edge, we can sign in to Microsoft Edge without additional authentication. And we can sign in to the Microsoft 365 portal when the device is compliant (but I have also seen I was asked for a password 🙁 ).

But we need to register a passwordless authentication mode for the next time we are asked to authenticate. Thus the passwordless onboarding on a Mac is not yet successful.

When we visit the Security Info page to register sign-in options, we are asked for multi-factor authentication. Without this, it is not possible to register any (passwordless) authentication methods in this setup.
If we used TAP for one-time use, we are stuck and onboarding would fail. Ok, we can access Microsft 365 at the moment, but we will be asked for authentication in the future.
If we used TAP for multi-use, we can provide the TAP another time and we can register a security key or register the Authenticator app. Thus this succeeds.

Onboarding via the Edge browser

Another option is using the Microsoft Edge browser on for example a Windows 10 device. As I require Passwordless MFA (or TAP) and allow specific countries, we should be able to use any Windows device with Edge as long as we are in the allowed countries.

For this test, I used an Edge browser in guest mode.
We could for example provide kiosk-like devices at our IT department to onboard users if we only allow security registration from office IPs and if this is a successful onboard approach. Let’s test this approach.

Visiting https://aka.ms/mysecurityinfo to register security info, we provide our user principal name.

And we’re asked for a Temporary Access Pass.

We’re signed in successfully and we can register a FIDO2 security key.

When we follow the instructions, we could register a security key with a TAP that can only be used once.

Let’s also add the Microsoft Authenticator app.
For this, we need to scan the QR code.

The registration of the app finishes successfully, but….

But scanning a QR code does not automatically enable phone sign-in on our mobile device. And we need to enable that for passwordless authentication, otherwise the app can only be used a second authentication factor.

Enable phone sign-in asks us for a password. Or we can use TAP if we enabled it for multiple uses.

Onboarding via the Edge browser is successful with TAP one-time use when you only need to register a security key.
If there is a need to also set up the Microsoft Authenticator app with phone sign-in, it is only successful when TAP multi-use is allowed.

Onboarding with the Microsoft Authenticator app

For the next test, I wiped an Android 12 device to have a clean test device. The Microsoft Authenticator app is installed from the Play store. I use the Temporary Access Pass to register my account in the app and enable phone sign-in.

Unfortunately, I can’t create screenshots from every screen when registering my account in the app, therefor I took some pictures.

Open the freshly installed app, choose Add work or school account.

Don’t choose scan QR code, but choose Sign in.

Enter your email and choose Next.

Enter the Temporary Access Pass and choose Sign in.

Registration of the account will finish. We can use the Authenticator app for multi-factor authentication. But we want to use the app for passwordless authentication. For this, we need to enable phone sign-in.

Click on the account and choose Setup phone sign-in.

The device needs to be registered and Screen lock needs to be set (the screen lock is already set on my device).
Choose Continue.

Choose Register.

After a short time, phone sign-in is enabled. Choose Finish.

App lock is enabled by default.

We have passwordless enrolled the Microsoft Authenticator app and enabled phone sign-in with TAP one-time use! So we now have a passwordless authentication method to enroll other devices. Or to access Microsoft 365 services (when only passwordless sign-in is needed).

Using one-time use TAP on Windows and macOS wasn’t a real success, but we can use one-time use TAP to register the Authenticator app for passwordless sign-in on a mobile device.

Two notes;

I did this enrollment multiple times. Most of the time, the account was added and I needed to manually start the setup of phone sign-in. But I also saw the enablement of phone sign-in was started during the initial registration of the account in the Authenticator app (might be worth a note in the end user instructions).

At the moment I only allowed Passwordless MFA in the CA policy for Register security information, I got blocked with this message. So be aware of the message and don’t spend banging your head on why you see this message.

Windows Autopilot enrollment with a security key

Now that we have registered a FIDO2 security key, we can use this passwordless method to start the enrollment of our Windows device with Autopilot.
We could also start the enrollment with the phone sign-in option, but we would get stuck if a reboot happens during enrollment. Or as soon as something happens like Windows Hello failure. Therefor using a security key with Windows is in my opinion the best authentication option for the setup.

We need to enter our username, or directly choose Sign in with a security key (which I choose).

We’re asked to touch the security key.

Because I registered the key on multiple accounts, a list of accounts is shown. We select the account with which we want to sign in.

At this moment enrollment is started.
No matter if the device is rebooted during enrollment, we can sign in to the device with the security key.

This does not mean we should always use the security key to sign in to the device, an easier sign-in method is Windows Hello for Business.

Wrap-up and conclusion

We can conclude passwordless onboarding using Temporary Access Pass can be done.

It depends on the end-user’s needs which passwordless onboard approach should be used. But also on the security requirements. If TAP one-time use is a requirement or if TAP multi-use is allowed.

When the user does only use Android, iOS and/ or macOS, passwordless sign-in with the Authenticator app could be sufficient and can be done succesfully.

When the user is using a Windows device, a FIDO2 security key is needed.

I would recommend registering a security key and the Authenticator app with phone sign-in, not only when using Windows, but also to have a fallback.

Which options can we use for onboarding;

If TAP one-time use is a requirement and the user will use a Windows and mobile (Android/ iOS) device, the user should onboard by setting up the Authenticator app directly on the mobile device with TAP. And after this register a FIDO2 security key for enrollment and first sign-in on Windows devices.

If TAP one-time use is a requirement and the user is only using a mobile device and/ or macOS, the user should also onboard by setting up the Authenticator app directly and this would be sufficient. But the user could also register a security key as a backup (and could use it on macOS).

When TAP multi-use is allowed, the end user can onboard passwordless by using all the provided examples, as long as the TAP has not expired yet.

But again, I would suggest registering two authentication methods.

Thanks for reading and let me know what your thoughts are on the passwordless journey and what your experience is with passwordless onboarding.