Hi folks - welcome to the second post in the holiday '23 series.
Today's post is about a capability that came to preview long ago but recently surprised much of the world and moved to General Availability (GA).
This allows you to sign-in to an Entra Joined Windows PC (not Hybrid) itself via the familiar web sign in form/pop-up dialog box:
With this sign-in method, you certainly can use your password but passwords are so ‘yesterday’ … Let’s go passwordless and use MS Authenticator + Phone sign in - which can be a form of ‘multi-factor’ sign in.
IMPORTANT: This sign in method is called ‘web sign in’ – if there is no ‘web,’ then there is no sign in (i.e. offline sign ins won’t work; there will be no cached credential locally for this sign in method).
Here are the high-level steps and a little animation of the experience on Windows 11 + MS Authenticator on iOS.
Deploy the setting to Windows via a Configuration Profile (this activates the web sign in credential provider in Windows and adds the little globe to the sign in options list you'll see below)
From the PC:
Select the ‘Sign in options’ link and select the little globe
Select the ‘Sign in’ button
The next steps are a bit variable
After the user has enabled Phone sign in for the MS Authenticator app, the first time she wants to use it, when the web form pops up, select 'Other ways to sign in' and then 'Approve a request on my Authenticator app'
After the first time, she'll only need to select ‘Send notification’ from the web pop-up to get the code sent to the phone:
From the phone (again, after you've enabled 'Phone Sign in' from within the settings of the MS Authenticator app)
You’ll be prompted to complete the MFA and passwordless sign-in via MS Authenticator (in my case, enter the number match + Touch ID)