Plan for and deploy Microsoft Authenticator

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Microsoft Authenticator converts any iOS or Android device into a secure, password-free credential. It’s available for free on Google Play and the Apple App Store. To enable phone sign-in, have users download Microsoft Authenticator and follow the instructions.

Considerations for Technology

Active Directory Federation Services (AD FS) Integration – When a user activates the Authenticator passwordless credential, authentication for that user defaults to sending an approval notification. Unless users in a hybrid tenant select “Use your password instead,” they are not forwarded to AD FS for sign-in. This method also avoids any on-premises Conditional Access restrictions and pass-through authentication (PTA) flows. If a login hint is supplied, the user is routed to AD FS, and the opportunity to utilize the passwordless credential is bypassed. Non-Microsoft 365 applications that use AD FS for authentication will not have Azure AD Conditional Access controls enforced, and you will need to configure access control policies within AD FS.

MFA server – End users who are configured for multi-factor authentication via an organization’s on-premises MFA server can create and utilize a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Authenticator app with the credential, an error may occur.

Note: – Microsoft no longer provides MFA Server for new deployments as of July 1, 2019. New clients that want to demand multi-factor authentication (MFA) during sign-in events should use Azure AD Multi-Factor Authentication, which is cloud-based. Existing customers who activated MFA Server before July 1, 2019, can continue to download the newest version, get future upgrades, and generate activation credentials as usual. We advise switching from MFA Server to Azure AD MFA.

Registration of devices – The device must be enrolled in the Azure AD tenant and cannot be a shared device in order to utilize the Authenticator app for passwordless authentication. A gadget can only be registered with one tenant at a time. This limitation implies that the Authenticator app only supports one work or school account for phone sign-in.

Use the Authenticator app to enable phone sign-in.

To enable the Authenticator app as a passwordless authentication mechanism in your business, follow the steps in the article Enable passwordless sign-in with Microsoft Authenticator.

Authenticator app testing

The following are some sample passwordless authentication test cases using the Authenticator app:

Scenario Expected results
Users can register with the Authenticator app. User can register app from
Users can enable phone sign-in Phone sign-in configured for work account.
Users can access an app with phone sign-in. The user goes through the phone sign-in flow and reaches the application.
Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the Azure AD portal Previously enabled users unable to use passwordless sign-in from the Authenticator app.
Removing phone sign-in from the Authenticator app Work account is no longer available on the Authenticator app.


Troubleshoot phone sign-in issues

Scenario Solution
Users cannot perform combined registration. Ensure combined registration is enabled.
Users cannot enable the phone sign-in authenticator app. Ensure the user is in scope for deployment.
The user is NOT in scope for passwordless authentication but is presented with the passwordless sign-in option, which they cannot complete. Occurs when the user has enabled phone sign-in in the application prior to the policy being created. To enable sign-in, add the user to a group of users enabled for passwordless sign-in. To block sign-in: have the user remove their credential from that application.


Professional Labs is the best cloud managed service provider Oman; for more information, please contact us.

Contact Us