Contents

Journey To Passwordless: Enable passwordless

Blog series

  1. Passwordless: But why?
  2. Enable passwordless
  3. Temporary Access Pass
  4. FIDO2 Security keys
  5. Windows 10 device onboarding and Windows Hello for Business
  6. PowerShell administration without a password
  7. Microsoft Authenticator app
  8. Restrict FIDO2 key usage & conclusion

Enable passwordless

Before things can get started and the first admin is able to work without a password, a few functions have to be enabled in Entra ID (Azure AD). Optionally, sign-ins in the browser are additionally secured by a conditional access policy.

Licenses

All features used for Passwordless do not require additional licenses.

However, to make things complete, I use Conditional Access Policies and these require the Entra ID (Azure AD) Premium P1 licenses. This is included in many Microsoft 365 Suite license packages, but can also be purchased separately.

Conditional Access Policy

Note
This configuration is optional and not mandatory to use a passwordless sign-in.

For users who are members of a highly privileged role, the sign-in in the browser should never be persistently stored. This is to prevent the credentials of an administrative account from being stored in the browser and thus possibly falling into the wrong hands.
The passwordless sign-in still allows for convenient sign-in, making the barrier for the administrator very low.

I define the following Entra ID (Azure AD) roles as highly privileged roles in my example.

  • Global administrator
  • Privileged role administrator
  • Exchange administrator
  • SharePoint administrator

How it works

In the default setting, the user can select whether his login data should be stored in the form of a browser cookie when signing-in to the Azure portal, for example. The following prompt is displayed for this purpose.

/en/journey-passwordless-enable-passwordless/images/StaySignedIn.png

The newly created CA policy takes the decision out of the user’s hands and prevents the cookie from being saved after the end of the browser session.

All users who are not members of one of the chosen administrative roles are not affected by this policy.

In the following example, Bob will still be able to perform a “persistent” sign-in, whereas Alice will have to sign-in with her account each time.

/en/journey-passwordless-enable-passwordless/images/J2P-CAPolicy.png

Tip
With a different policy the setting could be set to “Always persistent” for normal users on a managed device. This way, the prompt is not displayed to the user.

Legacy MFA portal

The following setting in the legacy MFA configuration must be disabled in order to use the Conditional Access method.

/en/journey-passwordless-enable-passwordless/images/LegacyMFASetting.png

Admin policy: Never persist browser sessions

In the Azure Portal, select “Conditional Access” under Security and create a new policy.

  1. Use the Entra ID (Azure AD) Portal -> Security -> Conditional Access to create a new policy with the name “Admin policy: Never persist browser sessions”
  2. Select Assignments -> “Users and groups”
    1. Include: “Directory roles” -> Alle hochprivilegierte Rollen auswählen
      /en/journey-passwordless-enable-passwordless/images/AzurePortalCAPolicyIncludeRoles.png
    2. Exclude: Break Glass Account
      /en/journey-passwordless-enable-passwordless/images/AzurePortalCAPolicyExcludeBreakGlass.png
  3. Select Assignments -> “Cloud apps or actions” -> “All cloud apps”
    /en/journey-passwordless-enable-passwordless/images/AzurePortalCAPolicyAllCloudApps.png
  4. Do not change “Conditions” and “Access controls”
  5. Select Session and change “Persistent browser session” to “Never persistent”
    /en/journey-passwordless-enable-passwordless/images/AzurePortalCAPolicySessionNeverPersist.png
  6. Finally, enable the policy and create it.
    /en/journey-passwordless-enable-passwordless/images/AzurePortalCAPolicyOn.png

Enable combined security information registration

For the use of the new authentication methods one setting is mandatory. Enabling the combined registration of security information. Why enabling it is generally a very good idea and also really helps your users I described in this blogpost.

For those who already know the benefits or would like to make the adjustment easily, proceed as follows:

  1. On the Entra ID (Azure AD) portal select User settings
  2. Click on “Manage user feature preview settings”
    /en/journey-passwordless-enable-passwordless/images/userFeaturePreviews.png
  3. Enable “Users can use the combined security information registration experience” for all users and save the changes
    /en/journey-passwordless-enable-passwordless/images/CombinedSecurityInformation.png

Enable Authentication Methods

To enable passwordless sign-in at all, the following authentication methods must be enabled.

  • FIDO2 Security Key
  • Microsoft Authenticator
  • Temporary Access Pass (preview)

The method “Text message (preview)” is not discussed in this blog series, because I think that for administrative accounts the sign-in via text message is not appropriate.

To enable these methods, you need to go to the Security section in the Entra ID (Azure AD) Portal.

Select Authentication methods and enable each of the mentioned methods.

/en/journey-passwordless-enable-passwordless/images/EnableMethode.png

If desired, use can be restricted to individual user groups.

/en/journey-passwordless-enable-passwordless/images/TargetUsers.png

Note
Allow self-service set up" must be enabled for the “FIDO2 Security Key” method. Initial setup as part of user creation is currently not yet possible.
Note
In the “Temporary Access Pass (preview)” method, be sure to disable the “Require one-time use” option. More about this in a later blog in the series.

In the end, the overview should look like this:

/en/journey-passwordless-enable-passwordless/images/AuthenticationMethods.png

Next steps

Now all the prerequisites are in place in the Tenant to be able to perform a passwordless sign-in. In the next blog we will take a look at the initial login without password.

Info
The next blog entry is expected to appear on 17.05.2021.