Going the same way than Windows Hello for Business, you can now use your Microsoft Authenticator app to sign in to your corporate resources protected by Azure AD (Azure, Office 365, Azure published apps…)
You need off course few prerequisites:
- Running Windows 10, registered to your Azure AD tenant
- Have setup an authentication policy on your Azure AD
- Have register your Microsoft Authenticator app
Setup the authentication policy on Azure AD
There is currently no option available through the Azure AD administration portal so you will need to do it with Azure PowerShell; plus you will need to use the Azure AD v2 Preview PowerShell modules
- Install the Azure AD v2 preview module by running the following command using a PowerShell prompt (as always use the Run As Administrator) – you may have to confirm the installation as the repository (PSGallery) may not be trusted
Install-Module -Name AzureADPreview -RequiredVersion 2.0.0.114 –Force
- Once installed, you need to connect to your Azure AD with the below command
Connect-AzureAD
- Finally you create the authentication policy to allow the use of the Authenticator app for opening a Windows session by using the following command
New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn
You can check this has been successful by running
Get-AzureADPolicy
and check for the policy you just have created
This is it, now you have to instruct your end-users to enable push notification (if not yet done) for their Authenticator app and enable phone sign-in (which has been available since March 2017).
You can not enforce the use of this policy during the preview.
Then next time your users will sign in to your corporate resource they will be prompted for approval through the Microsoft Authenticator app (unless they choose to switch back to password)
Known Issues/Limitations
Also as this is a preview there are few limitations/issues:
- Because this capability relies on the registration of the device to Azure AD – which means associated with one user account, this can only work for one user. Other users will have to enter their PIN/password when logging on the device (if this is a shared device)
- Azure MFA server (on-premises) are supported but if your end-user attempts to upgrade multiple Microsoft Authenticator app this may ends with error
- This functionality will prevent users to be redirect to Active Directory Federation Service (AD FS) if federated authentication is used. End-users will be prompted first by the Authenticator app. This will then bypass any conditional access or pass-through authentication set on-premises.