Forum Discussion

formolim89's avatar
formolim89
Copper Contributor
Jul 10, 2025

Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds

We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app.

Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones.

Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated!

Thanks in advance!

Authentication
azure
Azure Active Directory (AAD)
MFA
Microsoft Authenticator
microsoft entra
passwordless

1 Reply

Sort By
  • AntonyCapewell's avatar
    AntonyCapewell
    Copper Contributor
    Aug 10, 2025

    Please see below for two options which should work for you:

    Option 1: Exclude Users from the Strict BYOD Policy and Apply a Core Apps Block

    • How it works:
      • Remove your POC users from the existing BYOD CA policy.
      • Create a new CA policy that blocks access to all core business apps (e.g., Microsoft 365, Exchange, SharePoint, Teams) for unmanaged devices.
      • This ensures users can still set up Microsoft Authenticator and passwordless sign-in on their personal devices, but they cannot access sensitive apps or data from those devices.
    • Pros:
      ✔ Simple to implement
      ✔ Maintains data security
    • Cons:
      ✖ Requires an additional policy
      ✖ BYOD devices still interact with the registration process
      Option 2: Switch to Authentication Strengths and Require TAP only
    • How it works:
      • Create a new Authentication Strength selecting TAP as the only method
      • Change the CA policy from a hard block to require an Authentication Strength that only includes Temporary Access Pass (TAP).
      • Configure TAP as one-time use and time-limited (e.g., 30–60 minutes).
      • IT administrator provide user a TAP code
      • Users use TAP to complete their passwordless setup without relaxing BYOD enforcement for apps.
    • Pros:
      ✔ Strongest security posture
      ✔ No need to exclude users from existing policies
      ✔ Fully controlled and auditable
    • Cons:
      ✖ Requires TAP issuance workflow
      ✖ Slightly more admin overhead

Resources