CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Configure Azure AD Password-less

by · November 9, 2018

The password is used from the first day of computing and protects access to the resources.
As we know, the password is breakable, and therefore we added a layer of security with multi-factor authentication.
The MFA is good, but we’re still using the password and isn’t eliminate the password.

Modern identity attacks are getting more and more sophisticated. So, we need to think about all the possibilities of a breach.

Microsoft announced about password-less, and Microsoft wants to end the era of passwords!

Microsoft Azure AD is now ready to provide a password-less authentication experience to Azure AD connected apps using Microsoft Authenticator mobile app.

The authenticator app can replace the password with a fingerprint, face recognition, or PIN.

Instead of seeing a prompt for a password after entering a username, a person who has enabled phone sign-in in the Microsoft Authenticator app will see a message telling them to tap a number in their app.

In the app, the user must match the number, choose Approve, then provide their PIN or biometric, and then the authentication will complete.

Post Contents Show

How to Configure Azure AD Password-less

To configure password-less in Azure AD, you need to make sure that you’ve few prerequisites and configure AzureAD policy. Review the Notes section before applying the following actions.

Password-less prerequisites

  • Azure Active Directory
  • Users with Azure Multi-Factor Authentication
  • Users can register their devices

Configure Password-Less

To configure and allow password-less in Azure AD, you need to follow the actions below.

The first thing first step, we must install the Azure Active Directory V2 PowerShell Module using the following command:

Install-Module -Name AzureADPreview -RequiredVersion 2.0.0.114 -Force

Once the Azure Active Directory V2 PowerShell Module is installed, close the PowerShell console and open it again.

Next, we connect with the following command: Connect-AzureAD

Once successfully authenticated, we need to configure the Azure policy. To add a new policy, run the following command:

New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignInPolicy

Configure Azure AD Password-less

You can check for active policy by running the following command Get-AzureADPolicy.

Next, you need to make another change to the Microsoft authentication app on your phone to allow password-less. Open the account and choose “Enable phone sign-in” this will require that your user account.

Notes

  • Setting up this feature will not affect other MFA setup that you might have.
  • NPS server configured with Azure AD and is using some other form of authentication such as MFA push notification it continues the same authentication
  • If you’ve got an older version of Azure AD PowerShell Module and cannot install the new one, you need to uninstall with the following command Uninstall-Module -Name AzureADPreview
  • Be aware and prepare your users for this change.
  • There is no way to enforce users to create or use this new credential

Configure Azure AD Password-less

by · November 9, 2018

The password is used from the first day of computing and protects access to the resources.
As we know, the password is breakable, and therefore we added a layer of security with multi-factor authentication.
The MFA is good, but we’re still using the password and isn’t eliminate the password.
Modern identity attacks are getting more and more sophisticated. So, we need to think about all the possibilities of a breach.
Microsoft announced about password-less, and Microsoft wants to end the era of passwords!
Microsoft Azure AD is now ready to provide a password-less authentication experience to Azure AD connected apps using Microsoft Authenticator mobile app.
The authenticator app can replace the password with a fingerprint, face recognition, or PIN.
Instead of seeing a prompt for a password after entering a username, a person who has enabled phone sign-in in the Microsoft Authenticator app will see a message telling them to tap a number in their app.
In the app, the user must match the number, choose Approve, then provide their PIN or biometric, and then the authentication will complete.

How to Configure Azure AD Password-less

To configure password-less in Azure AD, you need to make sure that you’ve few prerequisites and configure AzureAD policy. Review the Notes section before applying the following actions.

Password-less prerequisites

  • Azure Active Directory
  • Users with Azure Multi-Factor Authentication
  • Users can register their devices

Configure Password-Less

To configure and allow password-less in Azure AD, you need to follow the actions below.
The first thing first step, we must install the Azure Active Directory V2 PowerShell Module using the following command:

Install-Module -Name AzureADPreview -RequiredVersion 2.0.0.114 -Force


Once the Azure Active Directory V2 PowerShell Module is installed, close the PowerShell console and open it again.
Next, we connect with the following command: Connect-AzureAD

Once successfully authenticated, we need to configure the Azure policy. To add a new policy, run the following command:

New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault $true -DisplayName AuthenticatorAppSignInPolicy

Configure Azure AD Password-less
You can check for active policy by running the following command Get-AzureADPolicy.

Next, you need to make another change to the Microsoft authentication app on your phone to allow password-less. Open the account and choose “Enable phone sign-in” this will require that your user account.

Notes

  • Setting up this feature will not affect other MFA setup that you might have.
  • NPS server configured with Azure AD and is using some other form of authentication such as MFA push notification it continues the same authentication
  • If you’ve got an older version of Azure AD PowerShell Module and cannot install the new one, you need to uninstall with the following command Uninstall-Module -Name AzureADPreview
  • Be aware and prepare your users for this change.
  • There is no way to enforce users to create or use this new credential

Tags:

You may also like...

1 Response

  1. Jeff Brixhamite says:
    March 6, 2020 at 6:06 pm

    You can also authenticate using hardware tokens.

    Reply

Leave a Reply

error: Content is Protected !!

Discover more from CYBERDOM

Subscribe now to keep reading and get access to the full archive.

Continue reading