Authenticator Phone Sign-In for Office 365 Work Accounts?

Copper Contributor

I have the Microsoft Authenticator setup for both my personal Microsoft account and have been testing it with our new Office 365 work account that we just set up.

 

My personal account was setup with Phone sign-in where instead of a password it shows you a selection of 3 numbers, you chose the one that is shown on the login window, use your pin/fingerprint and it signs you in without a password.

 

My work one uses the traditional one where you enter your password and it then asks you to approve it on the mobile device.

 

I noticed that I could set up Phone Sign-In for my work account in the authenticator app, after doing so it seems as if nothing has changed. It still asks me for the password everywhere, and gives me the traditional approve/deny message in the app. 

 

Am I doing something wrong? I didn't see any setting that seemed to allow or deny the use of phone sign in inside the exchange/azure admin panel settings. My account is already set to enabled for multi factor (or it wouldn't be working at all) and I can't seem to find any other information about this.

 

I found a microsoft doc page that said it was possible and listed the steps for work or school accounts.

I've done everything on the authenticator app side that it mentioned, but nothing has changed on the login side. Not inside the email web login or with logging into office apps, both work to prompt the newer phone sign-in when I use my personal credentials instead.

 

Thanks!

4 Replies

it Could be that your admin has predefined the way you should use MFA. Which basicly means you can not change it to the app.

I have full admin access and for the life of me can not find any setting that has anything to do with restricting different kinds of MFA, just enabling or disabling it entirely per account.

 

The Microsoft docs on this don't seem to touch on any changes that need to be made on the admin side for environments where the older password/authorization MFA was already working.

 

If this is something that is admin set I would really love to know where.

It's not yet possible to do this with Azure AD/Office 365 accounts. But it's coming, as part of the whole buzz around "passwordless login".

Not sure if you managed to solve this, but did you do the following:

 

1: Open PowerShell in admin mode

2. Run Install-Module -Name AzureADPreview -AllowClobber

3. Connect-AzureAD 

4. New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

 

Once this is done, then enable phone sign on the authenticator app.