Configuring Microsoft Authenticator– Planning and Implementing Authentication

The Microsoft Authenticator app provides a convenient way to sign in to any Azure AD account with a supported mobile device. Before users can sign in using the method, however, it will need to be enabled in your tenant through the authentication policy.
Configuring the authentication policy
To enable users to sign in with Microsoft Authenticator, you need to configure the authentication policy. The authentication policy is shared across the tenant, though different authentication methods are scoped for groups of users.
Configuring and managing the policy requires an account with the Global Administrator or Authentication Administrator role.

1. Navigate to the Azure portal (https://portal.azure.com).
2. Select Azure Active Directory | Security | Authentication methods and then select Policies.

Figure 7.14 – Authentication methods

3. Select Microsoft Authenticator.
4. On the Enable and Target tab of the Microsoft Authenticator settings page, slide the Enable toggle to on.

Figure 7.15 – Enabling Microsoft Authenticator

5. Using the Include and Exclude tabs, specify which users the policy settings will apply to. Select the All users radio button to include all users in the policy or choose the Select groups radio button to specify which groups will be included or excluded. Each group can have a separate Authentication mode value selected, including Any (default), Passwordless, or Push. Choosing Push as the option prevents the use of the password-less phone sign-in credential.
6. Click Save to update the policy configuration.
   After configuring the policy, users will need to register any devices to be used for passwordless authentication.
   Registering devices
   Before users can log in to the service using Microsoft Authenticator, they will need to register their devices. If they’ve already registered for MFA, nothing else needs to be done.
   If a user who has not registered signs in to the Microsoft 365 portal, they are greeted with a More information required dialog as part of the sign-in process.

Figure 7.16 – More information required
During the process, they are redirected to download the Microsoft Authenticator app.

Figure 7.17 – The Keep your account secure page
After they click Next, they are prompted to launch the Microsoft Authenticator app and click Add an account. Following the directions on the mobile device should launch a new window, which allows them to scan a unique QR code to link their device to their account.

Figure 7.18 – Registering a device
Once the device has been linked, the enrollment process will ask the user to confirm a code between the registration screen and their Microsoft Authenticator app. After completing the challenge, users should be presented with a confirmation screen, similar to the one shown in Figure 7.19.

Figure 7.19 – The authenticator registration screen
The final step for the user for full password-less sign-in from the Microsoft Authenticator app is to configure the device itself. In Microsoft Authenticator, the user can open the app and select Enable phone sign-in:

Figure 7.20 – Microsoft Authenticator’s phone sign-in box
This will start a process to configure the device for password-less sign-in. After configuration, the user can choose to log in with an app instead, triggering the phone authentication notification on their device. See Figure 7.21:

Figure 7.21 – Launching password-less sign-in
The user then completes the login challenge in the Microsoft Authenticator app to finish logging in to Microsoft 365.