Wouldn’t it be nice to increase security, reduce password reset calls to the help desk, reduce successful phishing attacks, and move to a password policy that requires a password change once a year? This is exactly what Microsoft IT has done. How is that even possible?
One of the major talking points at Microsoft Ignite in Orlando last week was the deprecation of passwords through technologies like Windows Hello and Microsoft Authenticator integration with Azure AD. The idea is that most people have a device with either face recognition, fingerprint scanning or a PIN code. The biometrics only work for that person and are stored in a Secure Enclave within the device. Even a PIN is only generally known by that person. Microsoft’s vision for the future is to leverage these built-in technologies to eliminate passwords, while greatly increasing the security of an environment.
How can you leverage this technology today? It’s pretty straightforward if you’re using Azure AD without ADFS. Customers with ADFS in place will still have to use passwords (for now). It is also only possible to use the app with one tenant, due to the device registration restriction meaning the device the end user uses for authentication must be registered to the user in Azure AD.
The basic steps are to deploy this technology for Azure AD are:
1. Enable authenticator app sign in within your Azure AD tenant
2. Make sure the end user device is enrolled with Azure AD
2. Make sure end users are enrolled for MFA
3. Make sure end users have the latest version of the authenticator app installed
4. Instruct end users to sign into the authenticator app with their work or school account
5. Complete the phone sign-in registration process
As with anything, there are some caveats to this, so a proper pilot is in order before rolling it out.
More information can be found here:
#microsoft #passwordlessfuture #azure #activedirectory #xcentricit