I remember a time where I didn’t have to use a password to login to Windows. I simply turned on my computer, which booted into DOS, and I then typed “win” in the command line to launch Windows 3.1.
I am getting old 🙂
Today passwords are used everywhere which of course also applies when logging in to Windows. But let’s face it, most users are not very good at creating passwords, because they are usually difficult to remember and it often ends up being a fairly simple and easy to remember password. Even if we implement policies which enforces strong and complex password, these passwords are even harder to remember and sometimes ends up on a piece of paper “hidden” under the keyboard or in the top desk drawer. Signing in with a username and password has proven to no longer be safe, many websites and services offer support for MFA (multifactor authentication) as an additional layer of security.
But what if you could get rid of the password entirely? Microsoft has made it possible for us to go “password less”. What this means is that when a user logs in to Windows or a Microsoft cloud service like Microsoft 365 Apps, a password will no longer be required. This is a good thing, because the user is no longer required to set a password, and/or change a password at certain intervals.
With that that said, I want to find out if it’s possible to create a brand new Azure AD user and have this user enroll a mobile device and a Windows device to Intune, without ever having to use a password or even set a password. This scenario is by now, hopefully a real life scenario, if not then I hope this article will start your Windows cloud managed device journey with no passwords!
Table of Contents
To be able to go passwordless you have to be able to enroll a mobile device in Intune, install the Microsoft Authenticator App and register for Self-Service Password Reset and Azure MFA, this makes it possible for you to enable passwordless sign-in in the Microsoft Authenticator App thus being able to access Microsoft Cloud apps without using a password.
To enable passwordless sign-in on your Windows device, you will have to enroll it in Intune as we are using Intune to enforce the use of Windows Hello for Business.
Windows Hello for Business requires a PIN code to be configured as a part of the enrollment process. The PIN code is mandatory, as it is used to sign in to Windows if any other methods configured, such as biometric authentication, is not working. Biometric authentication can be either facial, fingerprint or iris recognition. I strongly recommend the biometric authentication feature!
Both the PIN code and the biometrics can only be used on the device where they are configured, you cannot transfer them other Windows computers.
To be able to enroll both the mobile device and the Windows device without a password, you will need a so called Temporary Access Pass (TAP). A Temporary Access Pass is as the name implies, a temporary and time-limited password issued to the user. A TAP can be configured for single or multi use, in this article I will be using a multi use TAP, as the enrollment of the Windows device requires 2 sign-ins. When using a multi use TAP, I strongly recommend configuring a time limit on the TAP!
Temporary Access Pass – Configuration
The TAP feature will have to be enabled and configured before you can assign a TAP to a user.
To enable TAP, go to the Microsoft Entra admin center.
Go to Protection -> Authentication Methods.
From here you can enable and configure the Temporary Access Pass feature.
I have selected All Users, if you prefer, you can of course use a dedicated group instead.
To configure a time-limit on the TAP, go to Configure.
In the Temporaray Access Pass setting you can configure minimum and maximum TAP lifetime as well as TAP length. In this example there is a maximum TAP lifetime of 2 hours configured and minimum TAP lifetime of 1 hour, this means that the TAP will have to have at least a 1 hour lifetime but a maximum of 2 hours lifetime. Configure both the lifetime and the length to suit your needs.
Let’s have a look at how to configure TAP on a user account.
I have created a brand new user called taptest.
To configure TAP, go to Authentication Methods.
As this is a new user, no authentication methods are configured, but there can be several authentication methods here, depending on what the user has configured.
To assign a TAP to a user click the Add authentication method.
In the choose authentication box, select Temporary Access Pass. Once selected you will be able to configure the activation duration, you will also be able to have a delayed start, which means that the TAP will be active and valid on a specific date and time. This is useful in a user onboarding scenarios as you are then able to configure that the TAP should be active on the first day of employment.
I have configured a TAP with a 4 hours activation duration. This means that the user will be able to authentication against Azure AD for 4 hours using only username and the TAP, unless you configure one-time use, then the user will of course only be able to use the TAP once, within the 4 hour time period. Be mindful about how long you want these TAPs to live and make sure that it’s mandatory to register another authentication method during device enrollment or account configuration.
When the TAP is configured it will appear in the usable authentication methods. When the TAP expires, it will appear in the non-usable authentication methods and can no longer be used as an authentication method.
When the user eventually configures additional authentication methods like Windows Hello for Business and the Microsoft Authenticator app, you will also see these as usable authentication methods.
As mentioned earlier, I recommend to have the user register an additional authentication method, like the Microsoft Authenticator.
Conditional Access can be used to configure a policy that requires MFA when registering or joining a new device to Intune and Azure AD. This will trigger the registration of an additional authentication method, like the Microsoft Authenticator, during the enrollment process.
To configure a conditional access rule to require MFA when registrering og joining a device go to the Microsoft Entra admin center.
Conditional Access -> Policies.
Create a new policy.
Provide a suitable name, and select which users or groups this policy should apply to, don’t forget to exclude your break glass admin accounts.
In the Target resources select User actions in the dropdown box and select register or join devices.
In the Grant access control, select Grant access and select Require multifactor authentication.
You are now prompted to provide MFA during the device enrollment process.
Windows Web Sign-in
The Windows device enrollment requires the user to provide a username and password as a part of the enrollment process. However the Windows user authentication feature doesn’t support TAP, hopefully this is something Microsoft will enable in future Windows releases.
This means that the Web Sign-in feature has to be enabled, as it is not default in Windows. It can be enabled via a configuration policy in Intune .
Go to the Microsoft Intune admin center.
Go to Devices -> Configuration
Create a new configuration policy.
In the Platform drop-down box, select Windows 10 and later and in the Profile type drop-down box, select Settings catalog.
Click Add settings
Type “enable web sign in” in the search bar and hit search. Select the Authentication category and then the Enable Web Sign in” setting.
In the drop down-box, select “Enabled. Web Sign-in will be enabled for signing in to Windows”.
All there is left, is to assign the policy to a device or a group. You are now ready to begin your journey with no passwords.
Temporary Access Pass – Usage
So, how does this look from the users side?
Well, seeing is believing so I have created a couple of small videos showing how to use the TAP on an Android device and a virtual Windows 11 22H2 machine.
As mentioned, TAP is considered an MFA method, however it’s time limited hence it will expire at some point. This means that you, as a user, should configure whatever MFA method supported, as soon as possible, otherwise you might not be able to access either devices nor data.
As I have the aforementioned conditional access rule that requires the registration of additional authentication methods configured, I am enrolling my Android device before my Windows device to configure the Microsoft Authenticator app. If I enroll my Windows device before my Android device, I will get stuck, because I don’t have my mobile device ready and configured.
Let’s see how that looks like, from a users perspective.
Android device enrollment
This video shows the android enrollment process via Company Portal, using the TAP authentication method.
Once the device is enrolled you are able to setup and configure the Microsoft Authenticator app, which enables passwordless sign-in to i.e.. Microsoft 365 Apps.
This video show the Microsoft Authenticator configuration which is deployed as a work managed app. In the end of the video you can see that Passwordless sign-in is enabled, just above the one-time password code.
Windows device enrollment
This video shows to Windows 11 enrollment process. I have sped up parts of the video, as the provisioning phase is mostly uneventful.
At the second login prompt I am using Windows Web Sign-in, where I provide the username and the TAP assigned to that user.
You are now ready to start your Windows cloud managed device journey, with no passwords.