You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/howto-authentication-passwordless-phone.md
+11-20Lines changed: 11 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ services: active-directory
7
7
ms.service: active-directory
8
8
ms.subservice: authentication
9
9
ms.topic: how-to
10
-
ms.date: 07/14/2022
10
+
ms.date: 07/15/2022
11
11
12
12
13
13
ms.author: justinha
@@ -24,38 +24,21 @@ Microsoft Authenticator can be used to sign in to any Azure AD account without u
24
24
25
25
This authentication technology can be used on any device platform, including mobile. This technology can also be used with any app or website that integrates with Microsoft Authentication Libraries.
26
26
27
-
:::image type="content" border="false" source="./media/howto-authentication-passwordless-phone/phone-sign-in-microsoft-authenticator-app-next.png" alt-text="Screenshot that shows an example of a browser sign-in asking for the user to approve the sign-in.":::
27
+
:::image type="content" border="false" source="./media/howto-authentication-passwordless-phone/phone-sign-in-microsoft-authenticator-app.png" alt-text="Screenshot that shows an example of a browser sign-in asking for the user to approve the sign-in.":::
28
28
29
29
People who enabled phone sign-in from Microsoft Authenticator see a message that asks them to tap a number in their app. No username or password is asked for. To complete the sign-in process in the app, a user must next take the following actions:
30
30
31
31
1. Enter the number they see on the login screen into Microsoft Authenticator dialog.
32
32
1. Choose **Approve**.
33
33
1. Provide their PIN or biometric.
34
34
35
-
## Multiple accounts on iOS (preview)
36
-
37
-
You can enable passwordless phone sign-in for multiple accounts in Microsoft Authenticator on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device.
38
-
39
-
Previously, admins might not require passwordless sign-in for users with multiple accounts because it requires them to carry more devices for sign-in. By removing the limitation of one user sign-in from a device, admins can more confidently encourage users to register passwordless phone sign-in and use it as their default sign-in method.
40
-
41
-
The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-in from one device.
42
-
43
-
>[!NOTE]
44
-
>Multiple accounts on iOS is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
45
-
46
35
## Prerequisites
47
36
48
37
To use passwordless phone sign-in with Microsoft Authenticator, the following prerequisites must be met:
49
38
50
39
- Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity.
51
40
- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 6.0 or greater.
52
-
- For Android, the device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android.
53
-
- For iOS, the device must be registered with each tenant where it's used to sign in. For example, the following device must be registered with Contoso and Wingtiptoys to allow all accounts to sign in:
- For iOS, the option in Microsoft Authenticator to allow Microsoft to gather usage data must be enabled. It's not enabled by default. To enable it in Microsoft Authenticator, go to **Settings** > **Usage Data**.
57
-
58
-
:::image type="content" border="true" source="./media/howto-authentication-passwordless-phone/telemetry.png" alt-text="Screenshot os Usage Data in Microsoft Authenticator.":::
41
+
- The device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android.
59
42
60
43
To use passwordless authentication in Azure AD, first enable the combined registration experience, then enable users for the passwordless method.
61
44
@@ -145,6 +128,14 @@ An end user can be enabled for multifactor authentication (MFA) through an on-pr
145
128
146
129
If the user attempts to upgrade multiple installations (5+) of Microsoft Authenticator with the passwordless phone sign-in credential, this change might result in an error.
147
130
131
+
### Device registration
132
+
133
+
Before you can create this new strong credential, there are prerequisites. One prerequisite is that the device on which Microsoft Authenticator is installed must be registered within the Azure AD tenant to an individual user.
134
+
135
+
Currently, a device can only be enabled for passwordless sign-in in a single tenant. This limit means that only one work or school account in Microsoft Authenticator can be enabled for phone sign-in.
136
+
137
+
> [!NOTE]
138
+
> Device registration is not the same as device management or mobile device management (MDM). Device registration only associates a device ID and a user ID together, in the Azure AD directory.
0 commit comments