Azure AD Passwordless authentication

Question

Hello,

When we authenticate to Azure AD through passwordless-mechanism as shown in the below screen shots, recently I found one extra option (circled in blue) to complete authentication.

Can somebody throw more light what exactly it is. Once clicked, my phone gets notification but I am not able to connect the dots as I never configured any extra authentication method in AAD-portal.

Answer 1

Azure AD now supports passkeys (multi-device FIDO keys), as mentioned for example here: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/advancing-cybersecurity-the-latest-enhancement-in-phishing/ba-p/2365681

Your tenant seems to have this functionality enabled, though there is no way to have this method activated without user interaction, afaik.

Answer 2

Thanks @Vasil Michev

yes, I did know about AAD's support for passkeys and I also have watched the Ignite video of MS-guy Mayur https://www.youtube.com/watch?v=wTLB0Yh70_0 explaining passkey creation in MS-authenticator app.

But my question is, is it out now ?? Are you able to create passkey in your authenticator app on Android ? I could not create.

Answer 3

@testuser7

Yes, Android allow third party credentials providers from Android 14 version.

https://developers.google.com/identity/passkeys/supported-environments
Note: Starting from Android 14, users can opt to use third-party credential management apps to store their passkeys.

Once that is available, users can start storing the passkeys on the authenticator app to auth against AAD and using it.

Hope this helps.

Please let me know if any other questions

Regards

Nagappan V

Answer 4

Thanks @Nagappan Veerappan

Couple of quick points to validate around this flow. Do I have to register my android phone in all the tenants where I am creating passkey with the help of MS-authenticator app ? I do not think so but just confirming.

Secondly, as you said, starting from Android 14 users can opt to use third-party credential management apps to store their passkeys. So basically our MS-authenticator is just a credential-manager (similar to all 3rd party Bitwarden, Dashlane etc. who are doing passkey management)

So when I sign into MS-authenticator with eg., ******@mytenant.com, I will asked if I want to create a passkey for this account. That time, will I get chance to choose the 3rd party app where I want to sync the passkey ?? usually I chose to sync at google-password-manager but this time I must choose MS-authenticator. Am I right ??

Answer 5

Thanks @Nagappan Veerappan Couple of quick points to validate around this flow. Do I have to register my android phone in all the tenants where I am creating passkey with the help of MS-authenticator app ? I do not think so but just confirming.

Secondly, as you said, starting from Android 14 users can opt to use third-party credential management apps to store their passkeys. So basically our MS-authenticator is just a credential-manager (similar to all 3rd party Bitwarden, Dashlane etc. who are doing passkey management)

So when I sign into MS-authenticator with eg., ******@mytenant.com, I will asked if I want to create a passkey for this account. That time, will I get chance to choose the 3rd party app where I want to sync the passkey ?? usually I chose to sync at google-password-manager but this time I must choose MS-authenticator. Am I right ??