Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Authenticator App - passwordless - when prompted?

Steel Contributor

Hi,

 

i'm asking myself when the MS Authenticator App should ask for a passwordless sign-in (presenting of the three numbers)?

I've enabled the passwordless signin for my tenant account. This is working, when signin from a foreign device when e.g. in home office.

When i'm inside my company and loging in from an incognito session inside my browser i'm still asked for my password.

Could this be a an error when using azure conditional access inside our company?

 

Thanks in advance.

Patrick :)

19 Replies
My passwordless experience has been random. It used to work then it pretty much stopped. My personal Microsoft account usually works but from my azure joined Windows hello machine I still get password prompts and code instead of the three options. If the 3 options did come up in the past I usually had to click this annoying send notification button to get to the login screen.

Not sure if I need to setup again but I’m having similar pains. I kind of gave up on it for now. Been busy.

Passwordless is basically using a different auth flow, thus the "known issues" with AD FS and PTA. And the apps themselves need to be coded to recognize that flow, so experience will vary. It's a new feature still, they will polish it eventually.

@Chris Webb Thank you for sharing your experiences. I've already set up passwordless again, but no improvement. A few months ago everyhting was working really good. Too bad.

 

@Vasil Michev Thank you, too. I hope so. (The'll have to polish things up.)

I have a very similar experience. Sometimes it needs 3 numbers sometimes it's only one, sometimes it needs my email and password, sometimes password only, sometimes it's a notification. It's very inconsistent, like many things in Microsoft. I have 4 different admin centres for one office 365:

https://admin.microsoft.com/AdminPortal/Home#/homepage

https://security.microsoft.com/homepage

https://compliance.microsoft.com/homepage

https://protection.office.com

Does it make sense? Of course not.

@KrisDeb 

 

The Security & Compliance Admin UI is going to be split up into two. (1x Security / 1x Compliance).

I think the 2-in-1 will be go away.

 

But, of course, you're totally right. :D

@PatrickF11 did you manage to solve this? I am doing a pilot with two users and having different experiences.

One is a existing user with their mobile phone already enrolled to intune and that is setup for combined registration and as the authentication app. When he log´s in it ask´s for the password and then the notification with 3 number to choose from.

The other is a new user, that enrolled the device to intune, installed the authentication app, the MFA as activated (not the combined experience). When this user connects it immediately gets a notification in the app to authenticate by select one number.

@Ricardo Mendes unfortunatelly not.

A few month everything was working as expecrted, then there were a few month where my account didn't do passwordless at all. Nowadays it is working.... how should is say... "sometimes"... 

By the way: atfer i use PIM in the morning the next login gets prompted with passwordless (3 numbers). The first login before i executed PIM is asking for my password.... Strange.
I have the same experience.
Passwordless is still in preview so things might change overtime. We'll just have to wait and live with the limitations currently
Good to know, that I’m not the only one with these circumstances.
Hopefully the Journey going passwordless progressing fast.
By the way: Today my passwordless sign-in is working as expected.
(The only thing not working is the confirmation on the apple watch. This was working a few month ago.) :D

@PatrickF11 from my side, the customer is now seeing the expected behavior. Speaking with Microsoft and since it is in preview the failures are expected. But the feature works fine. So now we will wait for the GA and then implement.

I'm still in this same boat as this original issue. It randomly allows me to select one of the three numbers or lets me click approve or only gives me the option of entering a password or sometimes I can enter a password or choose to use an app.
best response confirmed by PatrickF11 (Steel Contributor)
Solution

@imorton777 one possible solution could be this hint:

The passwordless authentication promt (three digit choice) only appears automatically, if your last sign-in was used by this method. If you're being prompted to use your password try to click on "other ways to sign-in", then choose app request.

After you've successfully signed in, try to log out or open up a new incognito session and sign in again.

Then you should be faced with the passwordless method. :)

This was a pain in the **bleep** for me until i got this understanding.

thank you so much!! This is exactly the answer I was looking for. I've been fighting this issue for DAYS! If I ever meet you, I owe you lunch!

@TerryG No probs. ;)

What's on the menu?  Have a nice day.

 

By the way: i felt free to mark my own answer as the best respone. :D Feesl kinda strange.

I ran into a similar issue and found that we had to have users manually enable a feature from the Microsoft Authenticator app. It's called "Enable phone sign-in". After this, they were able to successfully use passwordless authentication. This was disapointing because there is no way to automatically set this up for users, as such making passwordless the primary method would be nearly impossible to maintain.
I got this point, and im not satisfied with this, too.
You could give conditional access a try: Grant control > authentication strenght > passwordless.
Therefore you could force users to login passwordless. (I know, this is not the best choice :-/)
1 best response

Accepted Solutions
best response confirmed by PatrickF11 (Steel Contributor)
Solution

@imorton777 one possible solution could be this hint:

The passwordless authentication promt (three digit choice) only appears automatically, if your last sign-in was used by this method. If you're being prompted to use your password try to click on "other ways to sign-in", then choose app request.

After you've successfully signed in, try to log out or open up a new incognito session and sign in again.

Then you should be faced with the passwordless method. :)

This was a pain in the **bleep** for me until i got this understanding.

View solution in original post