Using passwordless sign-in with Microsoft Authenticator app

The Microsoft Authenticator app can be used to sign-in to any Azure AD account without using a password. Instead of seeing a prompt for a password after entering a username, a person who has enabled phone sign in from the Microsoft Authenticator app sees a message that asks them to tap a number in their app. To complete the sign-in process in the app, a user must next take the following actions:

  1. Enter the number they see on the login screen into Microsoft Authenticator dialog.
  2. Choose Approve.
  3. Provide their PIN or biometric.
Available To
Staff only
Getting Started

With the passwordless authentication method available for use in Azure AD, users can now register themselves for the passwordless authentication method using the following steps. Please visit the following page for the enrolment. After you have reached the final step, you can enjoy passwordless sign in without the need to use Duo 2FA:

  1. Visit Azure MFA enrollment (https://mfa-enroll.ust.hk/) to perform the enrollment

    Azure MFA enrollment

    You may refer to Set up Azure MFA for screen captures before you perform the above enrolment.
  2. Change the Default sign-in method: Microsoft Authenticator - notification
    Visit the Security Info page and change the Default sign-in method to Microsoft Authenticator - notification if it is not.

     
  3. Set up phone sign-in (passwordless sign-in)
    In Microsoft Authenticator app (your mobile), tap your email account and then tap Set up phone sign-in. You will be prompted for password and then approve the 2FA sign in (if any) for the registration. Please be patient as the registration will take 1-2 minutes to complete. You may refer to Set up phone sign-in for screen captures. 

After enabled with Azure MFA, user will need to Sign out of Office and "Sign in" again such as Outlook, Outlook for mobiles, OneDrive, Word, etc. Please be patient that that it will take around 1 minute during the 1st "Sign in" to apply the new policy.

    Sign in with passwordless credential

    The first time you start the phone sign-in process, you will need:

    1. Enters your Email at the sign-in page.
    2. Selects Next.
    3. Select Use an app instead
    4. Enter the number they see on the login screen into Microsoft Authenticator dialog, followed by your PIN or biometric.
    5. In case there is no option Use an app instead:
      1. Selects Other ways to sign in if necessary
      2. Selects Approve a request on my Microsoft Authenticator app.
      3. Enter the number they see on the login screen into Microsoft Authenticator dialog, followed by your PIN or biometric.

    Limitation for Android users in China

    The Microsoft Authenticator app for Android uses Google’s Firebase Cloud Messaging system and Google Play Services to receive push notifications. Because neither service is available in China, there are some limitations in functionalities of the app:

    • Setting up the Authenticator app as a two-step verification method using push notifications isn't currently available.

    If you previously managed to set up phone sign-in or two-step verification using the app, you can perform a manual check for notifications requests in the app and use it for identity verification. Besides, you can also use the verification codes (get from the Authenticator app) to verify your sign-in.
     

    Learn More