IT Services 4 min read

Passwords are one of the weakest links in cybersecurity. With phishing attacks and credential leaks on the rise, Microsoft 365 now supports passwordless authentication through Entra ID (formerly Azure Active Directory). This guide walks you through how to enable passwordless sign-in using Microsoft Authenticator.

Why Passwordless?

Passwordless authentication improves security, simplifies user access, and reduces IT support tickets. It also aligns with zero-trust security frameworks, helping your organization stay ahead of compliance requirements. Plus it's incredibly satisfying to use (or maybe that's just me).

What You'll Need

  • Microsoft 365 with Entra ID access
  • Admin permissions in your Microsoft tenant
  • Multi-Factor Authentication (MFA) enabled
  • Microsoft Authenticator app installed on users' devices

Step 1: Enable Passwordless Sign-In in Entra ID

  1. Sign in at https://entra.microsoft.com
  2. Navigate to: Protection > Authentication methods
  3. Select Authentication methods policy
  4. Choose Microsoft Authenticator
  5. Enable it for either All users or a pilot group
  6. Click Save
Entra ID Authentication Methods page Authentication Methods Policy page Enable Passwordless Policy settings

Step 2: User Setup with Microsoft Authenticator

Ask users to complete the following (if not already done):

  1. Install the Microsoft Authenticator app (not google or another authenticator app)
  2. [Computer] Visit https://mysignins.microsoft.com/security-info
  3. [Computer] Add a new sign-in method and select Authenticator app
  4. [Phone] In the Authenticator app, select Add account -> Work or school account -> Scan a QR Code
  5. [Phone] Scan the QR code and click Next in the computer browser
  6. [Phone] Confirm the authenticator push notification using the code on the computer
Add Authenticator Sign In Method Add account in Microsoft Authenticator Scan QR code in Microsoft Authenticator Scan QR code in Microsoft Authenticator Authentication push notification

Initial Authenticator setup is complete! You can move on to turning on passwordless sign-in in Authenticator.

Enable Passwordless Sign-In in Authenticator

Next we will turn on passwordless sign in for the account in Microsoft Authenticator

  • On your phone, find the account you added to Microsoft Authenticator and tap it
  • Tap "Set up Passwordless sign-in requets"
    • Set up Passwordless sign-in requets
  • Sign into your Microsoft Account - this will be the last time you'll use this password
  • Register your device. You won't be able to use passwordless sign in until you do this.
  • You are all done, you should see under the account "Passwordless sign-in requests"

Turn on Web Sign-in for Windows 11 (optional, but recommended if you have Entra joined devices)

    You have a few options to turn this on, Intune, or deploy/install a ppkg file

  1. Requirements are Windows 11 (22h2 or newer), Entra joined, and Microsoft Authenticator installed

Intune

  1. Go to https://intune.microsoft.com
  2. Navigate to Devices, and click on Configuration under the Manage Devices section
  3. Create a new policy
  4. For the Platform, select Windows 10 or later and the Settings catalog profile type
  5. Select the Authentication category
  6. Check the box for "Enable Web Sign-in"
Intune Devices Configuration Intune Platform and Profile type Create new Intune policy Configure Intune policy settings

ppkg file

You will need the Windows Configuration Designer app, available in the Microsoft Store.

  1. Open the app and click on "Advanced Provisioning"
  2. Enter a name for your project and take note of the directory it is going to create the project in. Click Next
  3. Select "All Windows Desktop editions" and click Next. Skip the import a provisioning package step. Click Finish.
  4. You will now see the advanced view with a left hand pane of settings. In the search bar type "web". Select "Enable Web Sign-in". Click the drop down and select Enable.
  5. Export your project as a ppkg file. Click Next, Next, Next then Build. You will find the ppkg in the project folder

You can now install this ppkg file either by double clicking, or using powershell etc. There is no reboot required.

Advanced Provisioning Add a new profile Settings catalog

Step 4: Monitor and Enforce

Track sign-ins via the Sign-in logs in Entra admin center. Use Conditional Access to require passwordless methods for specific apps or users.

Best Practices

  • Start with a small pilot group
  • Provide internal guides or training sessions
  • Maintain fallback sign-in methods during rollout
  • Regularly review audit logs and user feedback
  • Have one or more break glass accounts for your admin(s). This should use multiple strong sign in methods like a FIDO key, authenticator app, passkey etc.

Conclusion

Passwordless authentication is the future of secure access. Microsoft 365 and Entra ID make it easy to transition with minimal disruption. If you're a business in Calgary or Vancouver or elsewhere in Canada and need help configuring passwordless access, contact Huntertech. Our team provides expert IT solutions and cybersecurity services tailored to your needs.

Helpful Links