![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 70%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
For the Azure Portal, authentication is performed through Microsoft’s identity platform. The available primary authentication methods depend on whether the user signs in with a Microsoft Account (MSA) or with a Microsoft Entra ID (formerly Azure AD) account. In both cases, Microsoft has expanded passwordless sign-in so that several methods can function as the primary factor rather than a password.
For Microsoft Entra ID accounts, the following methods can be used as primary authentication without a password when the tenant is configured to allow them. FIDO2 security keys are supported for passwordless sign-in. These are hardware or platform authenticators compliant with the FIDO2/WebAuthn standard and can include USB, NFC, or Bluetooth security keys as well as platform authenticators such as Windows Hello backed by TPM. Windows Hello for Business can be used as a primary authentication method when signing in from a Windows device joined to Entra ID or hybrid joined to Active Directory; the private key stored in the TPM is used instead of a password. Microsoft Authenticator passwordless phone sign-in allows the user to enter their username and approve a number-matching prompt in the Microsoft Authenticator app, replacing the password. Passkeys (which are implemented through FIDO2/WebAuthn and may be stored on devices or synced through passkey providers) are also supported as passwordless authentication for Entra ID when enabled. Certificate-based authentication using client certificates can also function as a primary authentication method for Entra ID users when configured in the tenant; the user presents an X.509 certificate mapped to their account. Smart cards can be used when integrated with certificate-based authentication because they provide the certificate and private key. Temporary Access Pass can be configured as a time-limited primary credential used to bootstrap passwordless methods or sign in without a password. In some federated environments, Kerberos-based Integrated Windows Authentication can also serve as the primary authentication mechanism when the browser is domain-joined and accessing a federated identity provider.
For Microsoft Accounts (personal accounts such as Outlook.com, Hotmail.com, etc.), passwordless sign-in is also supported. Microsoft Authenticator passwordless phone sign-in can act as the primary authentication method. FIDO2 security keys and passkeys are supported as passwordless authentication methods for Microsoft Accounts and can be used directly instead of passwords when signing in. Windows Hello can be used as a passkey provider on supported devices and effectively acts as the primary authentication factor for the Microsoft Account on that device.
External identity providers can be used with Azure Portal only when authentication is federated to Microsoft Entra ID or when external identities are configured. In a federated Entra ID tenant, authentication can be redirected to an external IdP using standards such as SAML 2.0, WS-Federation, or OpenID Connect. The most common supported enterprise identity providers include Active Directory Federation Services (AD FS), PingFederate, Okta, Shibboleth, and other SAML 2.0 or OIDC-compatible providers. When a tenant is federated, the external IdP performs the primary authentication and returns a token to Microsoft Entra ID, which then grants access to Azure Portal. Entra ID B2B collaboration also allows external users to authenticate using their home identity provider (another Entra ID tenant, Microsoft Account, Google identity, or SAML/WS-Fed federation depending on configuration). However, Azure Portal access still ultimately depends on Entra ID issuing the final token for the portal.
Relevant official Microsoft documentation describing these authentication methods includes the following.
Microsoft Entra authentication methods overview https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
Passwordless authentication options in Microsoft Entra ID https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless
FIDO2 security key authentication https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key
Windows Hello for Business authentication https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
Certificate-based authentication in Microsoft Entra ID https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication
Temporary Access Pass https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
Identity federation with Microsoft Entra ID https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed
External identities and federation in Microsoft Entra ID https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin