Starting with Windows 10 1903 you can passwordless enroll your Windows device together with the Microsoft Authenticator.
You need to enroll via Microsoft Authenticator App. So the app will be the authentication method to enroll the device “passwordless”.
To allow passwordless enrollment, you need to enable some Azure AD preview features.
First you need to login to your AzureAD as administrator. Navigate to
Azure Active Directory -> Authentication methods -> Microsoft Authenticator passwordless sign-in settings
You need to enable the passwordless sign-in for all users – or for a specific user group.
Enable Authenticator passwordless sign-in
After that click the link “Click here to enable users for the enhanced registration preview”.
We need to enable this for the same target group like the Microsoft Authenticator passwordless sign-in setting. If we don’t activate this, you can’t select the Authenticator App as sign-in option.
Also, before we start to enroll a user for passwordless authentication, we need to check if MFA is activated. Navigate to MFA in the security section.
Here click on “Additional cloud-based MFA settings” and make sure that “Allow users to create app passwords to sign in to non-browser apps” is activated and also “Notification through mobile app” is selected.
After you verified that this settings are selected, close the tab and navigate to the “Password reset” setting. Make sure, that the selected group is enabled for self service password reset.
If not you will receive an error like this:
We’re sorry, but your administrator has not enabled you to register at this time.
After we finished the Azure AD configuration, we need to navigate to:
Here we need to add the Authenticator App as sign-in method.
Add the Authenticator app as sign-in method
Of cause you need the Microsoft Authenticator App installed on your iOS or Android device to finish the registration.
Make sure, that the default sign-in method is “Microsoft Authenticator – notification”. The next step is on our phone in the Authenticator app itself.
Follow the guidance:
Choose ” Enable phone sign-in” in the drop down menu
You are only able to connect ONE account to ONE device
After the process is finished, you see the small phone sign-in icon
Now we are finished with the configuration. We can test the phone sign-in method on the “My Sign-Ins” website.
There will be no password sign-in. Instead you need to switch to you phone and choose the number, that is shown on your login screen.
Notification shown in the Authenticator App:
AutoPilot with passwordless user login
Since this is working, we can now test it in a AutoPilot scenario.
If you like, just look the video: