Migrate from 3rd party tool to Azure AD password less sign in

Testa 571 Reputation points
2023-08-21T08:13:54.13+00:00

Hi

My client is currently using OneLogin that enable its users to login without inputting any password. My questions are:

1, If the client want to use either Windows Hello for Business or Microsoft Authenticator instead, what steps should be taken. Does the client need to provide password to all the users, and then this users can setup Windows Hello for Business or Microsoft Authenticator password less sign in?

2, Should we cut off the connection to Azure AD from OneLogin first? What should the procedure be?

3, The client is concerned about Windows Hello for Business password less since users can login with PIN, instead of biometrics authentication. Some users tend to keep a note on the laptop, indicating their PIN or Password. Any solution for this (we told them not to do this, but some of them won't listen to us)?

4, There are mobiles phones provided by the company, which are not registered in the Intune. We saw the process in the document and decide to let users to register as personal devices (the users do not want to reset all the information in their mobile). But if we allow users to register, all the users who even have no company-provided device can register to Intune right? In this case, how can we make sure to allow only company provided devices to access to the resources?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

Accepted answer
  1. Michael Smith 2,931 Reputation points Microsoft Employee
    2023-08-22T14:29:51.3266667+00:00

    Hi there and and thank for contacting the Microsoft Community.

    Please review my responses to your questions below.

    1, If the client want to use either Windows Hello for Business or Microsoft Authenticator instead, what steps should be taken.

     

    You can have both WHFB and the authenticator in place so if a user works on device that does not support WHFB the authenticator can be used instead.

      

    Setting up the passwordless with the authenticator can do achieved by following this doc

    Passwordless sign-in with Microsoft Authenticator - Microsoft Entra | Microsoft Learn

     

    Windows Hello For Business has 3 deployment and trust models depending on your environment and preference. You should review the follow document to find the deployment model that suits.

    Windows Hello for Business Deployment Overview - Windows Security | Microsoft Learn

     

     

     

    Does the client need to provide password to all the users, and then this users can setup Windows Hello for Business or Microsoft Authenticator password less sign in?

     

    __Users will still require their Azure AD password In order to authenticate to the tenant initially. If the device they are using supports provisioning WHFB (depending on your deployment)  then they will be prompted to set up their pin and WHFB biometrics.

    If the device does not support WHFB then the user will sign in to their machine using their AAD username and password.__

     

     

    2, Should we cut off the connection to Azure AD from OneLogin first? What should the procedure be?

     

    Please review the following doc on migrating to cloud authentication from federation.

    Perhaps a staged rollout would be the safter option with a test group.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/migrate-from-federation-to-cloud-authentication#create-necessary-groups-for-staged-rollout

     

    3, The client is concerned about Windows Hello for Business password less since users can login with PIN, instead of biometrics authentication.  Some users tend to keep a note on the laptop, indicating their PIN or Password. Any solution for this (we told them not to do this, but some of them won't listen to us)?

     

     

    If passwords and pins are being written down this obviously a security risk and users should be advised not to do so.  An Extra level of security would be using MFA so even if a password is compromised the attacker would also need the users end authentication i.e Microsoft Authenticator.

     

    However if you wanted to move away from passwords and pins altogether perhaps fido keys are something you could consider.

     

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys

     

     

    4, There are mobiles phones provided by the company, which are not registered in the Intune. We saw the process in the document and decide to let users to register as personal devices (the users do not want to reset all the information in their mobile). But if we allow users to register, all the users who even have no company-provided device can register to Intune right?  In this case, how can we make sure to allow only company provided devices to access to the resources?

     

    In intune you can manage how to allow personal devices access to your resources

    Please review the following doc.

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-planning-guide#personal-devices-vs-organization-owned-devices

     

    Do let me know if you have any further questions.

     Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.