top of page

Password less authentication options for Azure Active Directory

Updated: Jun 4

Features like MultiFactor Authentication (MFA) are a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.


Something you have

Something you are or know


Windows 10 Device, phone, or security key

​Biometric or PIN

Each organization has different needs when it comes to authentication. Microsoft Global Azure and Azure Government offer the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):

  • Windows Hello for Business

  • Microsoft Entra Authenticator app

  • FIDO2 security keys

Azure Active directory

Windows Hello for Business

Windows Hello for Business is ideal for information workers who have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.

The following steps show how the sign-in process works with Azure AD:

windows hello for business

1. A user signs into Windows using a biometric or PIN gesture. The gesture unlocks the Windows Hello for Business private key and is sent to the Cloud Authentication security support provider, referred to as the Cloud AP provider.

2. The Cloud AP provider requests a nonce (a random arbitrary number that can be used just once) from Azure AD.

3. Azure AD returns a nonce that's valid for 5 minutes.

4. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure AD.

5. Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. Azure AD validates the signature and then validates the returned signed nonce. When the nonce is validated, Azure AD creates a primary refresh token (PRT) with a session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.

6. The Cloud AP provider receives the encrypted PRT with the session key. The Cloud AP provider uses the device's private transport key to decrypt the session key and protects the session key using the device's Trusted Platform Module (TPM).

7. The Cloud AP provider returns a successful authentication response to Windows. The user is then able to access Windows as well as cloud and on-premises applications without the need to authenticate again (SSO).

Microsoft Entra Authenticator App

You can also allow your employee's phone to become a passwordless authentication method. You may already be using the Authenticator app as a convenient multi-factor authentication option in addition to a password. You can also use the Authenticator App as a password-less option.

Microsoft Entra Authenticator App

The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm. Refer to Download and Install the Microsoft Entra Authenticator app for installation details.

Passwordless authentication using the Authenticator app follows the same basic pattern as Windows Hello for Business. It's a little more complicated as the user needs to be identified so that Azure AD can find the Authenticator app version being used:


1. The user enters their username.

2. Azure AD detects that the user has a strong credential and starts the Strong Credential flow.

3. A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices or via Firebase Cloud Messaging (FCM) on Android devices.

4. The user receives the push notification and opens the app.

5. The app calls Azure AD and receives a proof-of-presence challenge and nonce.

6. The user completes the challenge by entering their biometric or PIN to unlock the private key.

7. The nonce is signed with the private key and sent back to Azure AD.

8. Azure AD performs public/private key validation and returns a token.

FIDO2 security keys

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.

FIDO2 security keys are an unfishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.

Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.

FIDO2 security keys can be used to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign-on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.

FIDO2 security keys

The following process is used when a user signs in with a FIDO2 security key:

Microsoft Entra ID

1. The user plugs the FIDO2 security key into their computer.

2. Windows detects the FIDO2 security key.

3. Windows sends an authentication request.

4. Azure AD sends back a nonce.

5. The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.

6. The FIDO2 security key signs the nonce with the private key.

7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.

8. Azure AD verifies the signed nonce using the FIDO2 public key.

9. Azure AD returns PRT to enable access to on-premises resources.

FIDO2 security key providers

The following providers offer FIDO2 security keys of different form factors that are known to be compatible with the passwordless experience. We encourage you to evaluate the security properties of these keys by contacting the vendor as well as FIDO Alliance.






FIPS Certified








Giesecke + Devrient (G+D)

GoTrustID Inc.



IDmelon Technologies Inc.






​OneSpan Inc


​Thales Group


​Token2 Switzerland

​TrustKey Solutions



Supported scenarios

The following considerations apply:

  • Administrators can enable passwordless authentication methods for their tenants.

  • Administrators can target all users or select users/groups within their tenant for each method.

  • Users can register and manage these passwordless authentication methods in their account portal.

  • Users can sign in with these passwordless authentication methods:

  • o Authenticator app: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 setup, and with integrated mobile apps on any operating system.

  • o Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge).

  • Users can use passwordless credentials to access resources in tenants where they are guests, but they may still be required to perform MFA in that resource tenant. For more information, see Possible double multi-factor authentication.

  • Users may not register passwordless credentials within a tenant where they are a guest, the same way that they do not have a password managed in that tenant.

Windows Hello for Business

Windows Hello for Business Windows Hello for Business

FIDO2 security keys


​Windows 10, version 1809 or later

Azure Active Directory

​Authenticator app

Phone (iOS and Android devices running Android 6.0 or above.)

​Windows 10, version 1903 or later

Azure Active Directory





Systems and devices

​PC with a built-in Trusted Platform Module (TPM) PIN and biometrics recognition

​PIN and biometrics recognition on the phone

​FIDO2 security devices that are Microsoft-compatible

User experience

​Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.

Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component, such as a PIN or biometric factor, to access corporate resources.

​Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.

Users sign in to work or personal accounts from their PC or mobile phone.

​Sign in using a FIDO2 security device (biometrics, PIN, and NFC)

Users can access devices based on organization controls and authenticate based on PIN and biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.

Enabled scenarios

​Password-less experience with Windows devices.

Applicable for dedicated work PC with the ability for single sign-on to devices and applications

​Password-less anywhere solution using a mobile phone.

Applicable for accessing work or personal applications on the web from any device.

​Password-less experience for workers using biometrics, PIN, and NFC.

Applicable for shared PCs and where a mobile phone is not a viable option (such as for help desk personnel, public kiosks, or hospital teams)

Use the following table to choose which method will support your requirements and users




Passwordless technology


​Secure access to a device for management tasks

​Assigned Windows 10 device

​Windows Hello for Business and/or FIDO2 security key


​Management tasks on non-Windows devices

​Mobile or non-windows device

​Passwordless sign-in with the Authenticator app

Information worker

​Productivity work

​Assigned Windows 10 device

​Windows Hello for Business and/or FIDO2 security key

Information worker

​Productivity work

​Mobile or non-windows device

​Passwordless sign-in with the Authenticator app

Frontline worker

​Kiosks in a factory, plant, retail, or data entry

Shared Windows 10 devices

​Shared Windows 10 devices

239 views0 comments


bottom of page