Allow Passwordless Authentication for all delegated Office 365 tenants

At Ignite 2018, Microsoft stated that multi-factor authentication thwarts 99.9% of identity based attacks. In other words, it’s a thousand times more effective at securing your account than using a password alone. Now, Microsoft want to get rid of passwords altogether with passwordless multi-factor authentication.

As you probably know, multi-factor authentication works by requiring multiple forms of identity verification. These are:

  • Something you know (typically a password)
  • Something you have (a trusted device, like a phone)
  • Something you are (biometrics)

Passwordless authentication works via the Microsoft Authenticator app. It requires your phone, and either your device’s PIN, your fingerprint, or your face.

When signing in via a modern authentication prompt, just enter your username and you’ll be presented with a 2 digit number. If you switch over to your phone and open the Microsoft Authenticator app, you can select the correct number and authenticate yourself using a PIN, fingerprint or your face. Enabling Passwordless sign in for Azure AD via PowerShell

 

Preparing to enable Passwordless Authentication via PowerShell

As of now, you can switch this on using the Azure Active Directory Public Preview PowerShell Module, version 2.0.2.5.

To confirm whether you have this version installed, open PowerShell as an administrator and run the following cmdlet:

Get-Module -Name AzureAD -ListAvailable

Get Azure AD PowerShell Module

If you currently have the Azure AD PowerShell module installed and it’s not at least version 2.0.2.5, you’ll need to uninstall it. To do this, run the following:

Uninstall-Module -Name AzureAd

Uninstall Azure AD PowerShell Module

If you don’t have the Azure AD PowerShell module installed, or you’ve just uninstalled it, you’ll need to install it by running:

Install-Module -Name AzureADPreview

Install Azure AD Preview PowerShell Module

How to run these scripts

Since these are small, you can copy and paste them directly into a PowerShell window and press enter.

Alternatively, you can use Visual Studio Code:

  • Double click either of the scripts below to select them all.
  • Copy and paste them into Visual Studio Code
  • Save them as a .ps1 file.
  • Install the recommended PowerShell extension if you haven’t already
  • Press F5 to run the scripts
  • Sign in with your global admin credentials, or if running the second script, the credentials of an account with delegated access to customer tenants.

 

Enabling Passwordless Authentication for a single Office 365 tenant via PowerShell

Connect-AzureAD
New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

 

Enabling Passwordless Authentication for all delegated Office 365 tenants via PowerShell

Note that this script does not work with MFA on the delegated account. You can set it up to support MFA by removing the credentials parameter from the second Connect-AzureAD connection, however you’ll need to authenticate via MFA separately against each tenant.

If you have Azure AD P1 or P2 licenses, you can run this script without being prompted for MFA by adding your current public IP address to your MFA Whitelist here.

$credential = get-credential
Connect-AzureAD -credential $credential
$customers = Get-AzureAdContract -All $true

foreach($customer in $customers){
Connect-AzureAD -credential $credential -TenantId $customer.customercontextid
New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn
}

 

How users can enable Passwordless Authentication

Once these scripts have completed, those users who already have MFA configured via Microsoft Authenticator can enable Passwordless Authentication by tapping Enable Phone Sign within the authenticator app.

Enable Phone Sign-In

 

Was this article helpful?

Related Articles