You can now enable password-less authentication to Azure AD, including Azure AD Application, with Microsoft Authenticator App, Fido2 Keys or Windows Hello.
To start using the new password-less authentication methods, logon to your Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) and reach out the Authentication methods blade
From there you can enable FIDO2 Security key and/or Microsoft Authenticator authentication methods to either all or selected users
To enable an authentication method, you need to select it and then enable it for either all or selected users
When enabling a method you can allow self registration
The Microsoft Authentication method requires push notification to be enabled in the tenant
Once enabled your users will then be able to register their FIDO2 key and/or Microsoft Authenticator app by accessing their self service portal (https://mysignins.microsoft.com) by accessing the Security info section and then Add method to select Security Key and the key tyep 9USB or NFC
NOTE you need to use Microsoft Edge for the registration; at this stage Internet Explorer or Google Chrome are not supported
During the registration you will get prompted to set PIN and then name the key
NOTE do not use any space when naming the key
The FIDO2 security key has been added
Then your users can change the default MFA method to use the new method
Then next time they sign in to Windows and/or Azure AD application, including Office 365, they will be authenticated using this password-less method