Passwordless authentication is now generally available!

Published 03-02-2021 06:00 AM 45.8K Views

Howdy Folks,


Our team has been working hard to make passwords a thing of the past. Last year was a breakthrough year, and the start of the movement to passwordless sign in. Today we’re announcing our passwordless solution is now generally available!


This is a major milestone in Microsoft’s strategy to encourage all our users and organizations to go passwordless! Now organizations can rollout passwordless authentication across their hybrid environments at scale. Users get a familiar, simple to use authentication experience that offers industry best security and works across an increasingly broad set of devices and services.


Thanks in large part to the feedback we’ve received since we launched public preview in July 2019, we added a fleet of new features to improve the management and usability of these credentials, including Authentication methods management, step-up authentication, and passwordless APIs. One of the most impactful updates is the new Temporary Access Pass, now in public preview. This time limited passcode ties the onboarding and recovery story of passwordless together for an end-to-end passwordless experience from day one.



Authentication methods management

Authentication methods policies form the foundation of our passwordless story. These policies provide IT admins with more granular control of authentication methods usage within their organizations. In this space, you’ll continue to see more credentials added to the Authentication Methods blade both in the Azure Portal and via Microsoft Graph, to access and manage authentication methods policies and user credentials for your organization. We’ve merged management of credentials in the Microsoft Authenticator app so that an admin can set one policy for both passwordless and standard push multi-factor authentication.


In the portal, you also can now see and delete passwordless methods on the User blade, for example revoking a FIDO2 Security Key registration if the user has lost it. Policies related to passwordless credentials are now in MSGraph V1. We’ve introduced a new scoped role specifically for authentication methods policy management, aptly named Authentication Policy Administrator, in addition to the Authentication administrator.




Figure 1: Authentication methods management in Azure Portal




Figure 2: Merged Microsoft Authenticator policy management configuration



Figure 3: A user’s registered credentials in Azure Portal




Figure 4: A user’s authentication methods as displayed in Graph Explorer



Improved user experiences

From the beginning, making the passwordless authentication flow delightful has been a top priority, which is why we’ve made numerous improvements to user consistency and flow. We promote credentials that users use frequently so they have the best user experience across devices. This credential will prompt for an authentication method, be it password or Authenticator app or FIDO key, until the user chooses “Other ways to sign-in,” to switch. People can choose when to begin using their new passwordless options and avoid having it foisted on them unexpectedly.


We’ve also fixed a few bugs around credentials in a guest user flow, so if someone chooses to always log in with passwordless phone sign-in at the Contoso tenant, they can start the authentication to Fabrikam using that same method.


Picture11.pngFigure 5: Showing how a user can change which method to use


To support users who have registered FIDO2 security key or enabled passwordless phone sign-in, we’ve given them the choice to use those strong authentication methods to re-verify their identity if they prefer. This is sometimes called a “step-up” authentication or second-factor flow. Coupled with a Temporary Access pass, this gives users the ability to set up and use one of these strong authentication methods, without needing another credential just for MFA.


 Figure 6: Using a FIDO2 security key in a verification scenario



Improved account setup experience in Microsoft Authenticator

One major change to the passwordless phone sign-in experience is the ability to set up your account from directly within the Microsoft Authenticator app. This works best if you’ve already registered at least one multifactor authentication factor in advance or have a Temporary Access Pass.



Figure 7: Microsoft Authenticator with new "Sign in" feature to add work or school account



Authentication methods activity

Reporting is another area where we heard your feedback loud and clear, and have made huge strides since we launched its public preview. You can now view registration and usage information for all your authentication methods in the updated Authentication methods activity blade. This report will help you track the progress of registration campaigns and the adoption of passwordless authentication methods, and dive straight into the data to get more details. Our documentation provides details on permissions and licensing requirements to access these new features.




Figure 8: Authentication methods registration report



Windows Hello for Business joins the club

Our most deployed and used passwordless credential, Windows Hello for Business, is also being brought more closely into the authentication methods management, so users and admins can see their Windows Hello for Business-capable devices at the security info registration portal and the Azure Portal user blade, respectively. Windows Hello for Business registration and usage will also be captured in the new reporting. Lastly, users who want to remain entirely passwordless can use their FIDO2 security keys, in the Windows Out-Of-Box-Experience (OOBE) or via Settings, to set up their Azure Active Directory identity on a Windows device.



Figure 9: Windows Hello for Business devices now show in a user’s list of authentication methods.



Temporary Access Pass

Of course, to have a world without passwords, we must give our customers the ability to set up all these passwordless authentication methods, and recover from lost devices, without performing the traditional password and multi-factor authentication. To that end, we’ve created and just announced the public preview of Temporary Access Pass.  This time-limited passcode allows you to set up security keys and the Microsoft Authenticator without ever needing to use, much less know, your password! We can’t wait to get your feedback on how the Temporary Access Pass helps you with your passwordless rollout.


As you have seen, this post contains only a high-level summary of each of the new features that are coming with general availability; for more details and supported scenarios, be sure to visit the links provided to dig deeper into each area.


As excited as we are for this major milestone, general availability is just that – a moment in our passwordless journey. We hope you'll also now take the next step in identifying the right user segments that can go passwordless today, and then start your organization’s own journey to Go Passwordless, whether that’s moving forward in deploying a Windows Hello for Business upgrade, or piloting a new authentication method, or testing FIDO2 security keys across your workloads. All progress is a positive advance towards improving your organization’s security, and your authentication experience.


As always, we welcome your comments and feedback below or on the Azure AD feedback forum.



Best regards,


Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division



 Related posts:

Learn more about Microsoft identity:

Senior Member

Hi Alex,

Great updates - two questions..


1) Would issuing a FIDO key and a Temporary Access Pass to someone still require them to have another second factor to configure the key? i.e. we cannot just issue FIDO keys to users at the moment that do not have a second factor - they still need a phone/otp factor to configure it.


2) The guest/B2B sign in via FIDO key is interesting - we have issues with MFA for B2B users - they have to register in our tenant as well as their own for MFA - is this technically a way of getting B2B users to not have to register MFA (they're a partner org, and we trust their MFA config)? Or alternatively will there be a way for us to get B2B users to use their 'home' MFA credentials in resource tenants?

Occasional Contributor

@Alex Simons (AZURE) 

1) Thanks, great job!

2) is it fully supported by Powershell cmdlets / AD Connect / Azure DevOps / etc? Any known unsupported scenarios?


Hi @apnet1205 , thanks! 

To answer your questions: 
1) Would issuing a FIDO key and a Temporary Access Pass to someone still require them to have another second factor to configure the key? 

Nope! That's the whole promise of Temporary Access Pass, is that it conveys, briefly, a strong MFA claim that allows the TAP holder to create a permanent passwordless credential, like a FIDO2 security key or Passwordless phone sign-in with Microsoft Authenticator app. 


2)  For B2B users, the passwordless credential can be used to start the authentication (like a password in the "home" tenant,) but if the resource ("guest") tenant has its own MFA policy, the user will still have to register and use an MFA credential in that resource tenant as well. 

@apnet1205 Hi! For your first question - With Temporary Access Pass the user is no longer required to have 2nd factor registered. They can use Temporary Access Pass to sign-in, register the FIDO2 key and from this point on - sign in with the FIDO2 key. We have additional information here: and in our public documentation: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Micr...

Senior Member

Thanks @Libby Brown and @Inbar Cizer Kobrinsky . Will investigate the temporary access pass solution with some FIDO keys as this could make a nice replacement for OTP tokens which are clunky..

RE: B2B MFA - is there any plans for there not be a requirement for double registration of MFA or to at least enforce MFA on any B2B authentications our users do in our 'home' tenant?

Occasional Visitor

We have been trying to test passwordless for a number of weeks but I don't think the functionality is there yet.


All our users/devices are fully azure ad joined (no hybrid). Windows hello for business deployed. However:

1. If you "forget pin" you still need to input password to reset.

2. There are 2 ways to stop user logging into desktop with password (security policy or remove credential provider) but if you do either of these then elevating to an administrator account is not possible (due to security policy it won't accept admins password), therefore not supportable.


So as things stand... the functionality does not seem to be there to go passwordless. Not tk mention that as far as I can see azure ad credential provider still requires a password to exist.

Established Member

Looks like there is still a hard requirement to have MFA before FIDO2 keys can be enrolled. 

Here is what we get when trying to add FIDO2 key as the only security method:

"To set up a security key, you need to sign in with two-factor authentication"


Established Member

Sorry, I was too fast and did not read the TempAccess part and there is no way to edit comments here, so please disregard my comment above

It is possible to enroll a FIDO2 key without MFA using Temporary Access option

@Emin Huseynov - Yes, if the user have signed in to Azure AD with Temporary Access Pass, in the Security Info page they can go and register FIDO2 key. Please see more details here: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Micr... 


Hi @Mlawton40 , 


You can now use FIDO keys to do PIN reset, so no passwords needed there. Being able to use a temporary access pass there is also on the roadmap. 


As for removing password entry from Windows, we're still a ways from making that a smooth, seamless experience, but that's why we call this a journey! First we have to provide the alternatives to passwords, next we move to take passwords out of the equation. Part of Passwordless is simply using your password less. Hopefully you will continue to explore and adopt the passwordless authentication methods. Thanks for your feedback!  


Occasional Contributor

To prove you are committed to Passwordless Auth (This is the way! :smile:), please replace the "Enter password" dialog with the "Choose a way to sig in" dialog - then legacy users can choose "Use my password".

Occasional Contributor

Quick question about the new Windows Hello for Business pane. If you delete a WHfb Cred from here will it prompt the user to re-enroll into WHfB? Could this be used to change users from Cert based auth to Key based auth or visa versa just by deleting the users existing WHfB cred in the portal? Or do you still need to run certutil.exe -DeleteHelloContainer to remove the container and prompt for enrollment. 


Thanks in advance!

Version history
Last update:
‎Mar 04 2021 08:54 AM
Updated by: