Passwordless Auth With Entra

v20260317

implementing-passwordless-auth-with-microsoft-entra

Guides deploying Microsoft Entra passwordless authentication with FIDO2 keys, Windows Hello for Business, Authenticator passkeys, and certificate-based methods while configuring authentication method policies and phishing-resistant conditional access.

Passwordless FIDO2 Microsoft Entra Windows Hello Passkeys Conditional Access Authentication Strength Security Keys

Get Skill

312 downloads

Overview

Implementing Passwordless Auth with Microsoft Entra

When to Use

Organization wants to eliminate password-based attacks (phishing, credential stuffing, brute force)
Regulatory or internal mandate requires phishing-resistant MFA (Executive Order 14028, CISA guidance)
Deploying FIDO2 security keys or Windows Hello for Business across the enterprise
Migrating from legacy MFA (SMS, phone call) to phishing-resistant authentication methods
Implementing passkey support for hybrid or cloud-joined Windows devices
Reducing helpdesk costs from password reset requests

Do not use for environments that cannot support modern authentication protocols; legacy applications using NTLM or basic authentication must be migrated first.

Prerequisites

Microsoft Entra ID P1 or P2 license (Azure AD Premium)
Windows 10/11 22H2+ for Windows Hello for Business deployment
FIDO2-compliant security keys (YubiKey 5 Series, Feitian BioPass, Google Titan)
Microsoft Authenticator app 6.8+ for passkey support on iOS 16+/Android 14+
Hybrid Azure AD join or Azure AD join configured for Windows devices
Conditional Access policies configured for authentication strength

Workflow

Step 1: Configure Authentication Methods Policy

Enable passwordless authentication methods in Microsoft Entra:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod", "User.ReadWrite.All"

# Enable FIDO2 Security Key authentication method
$fido2Policy = @{
    "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration"
    state = "enabled"
    isAttestationEnforced = $true
    isSelfServiceRegistrationAllowed = $true
    keyRestrictions = @{
        isEnforced = $true
        enforcementType = "allow"
        aaGuids = @(
            "cb69481e-8ff7-4039-93ec-0a2729a154a8",  # YubiKey 5 Series
            "ee882879-721c-4913-9775-3dfcce97072a",  # YubiKey 5 NFC
            "fa2b99dc-9e39-4257-8f92-4a30d23c4118",  # YubiKey 5C NFC
            "2fc0579f-8113-47ea-b116-bb5a8db9202a",  # YubiKey Bio
            "73bb0cd4-e502-49b8-9c6f-b59445bf720b"   # Google Titan
        )
    }
    includeTargets = @(
        @{
            targetType = "group"
            id = "all_users"  # Or specific security group ID
        }
    )
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "fido2" `
    -BodyParameter $fido2Policy

# Enable Microsoft Authenticator with passkey support
$authenticatorPolicy = @{
    "@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration"
    state = "enabled"
    featureSettings = @{
        displayAppInformationRequiredState = @{
            state = "enabled"
            includeTarget = @{
                targetType = "group"
                id = "all_users"
            }
        }
        displayLocationInformationRequiredState = @{
            state = "enabled"
            includeTarget = @{
                targetType = "group"
                id = "all_users"
            }
        }
        companionAppAllowedState = @{
            state = "enabled"
        }
    }
    includeTargets = @(
        @{
            targetType = "group"
            id = "all_users"
            authenticationMode = "any"
        }
    )
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "microsoftAuthenticator" `
    -BodyParameter $authenticatorPolicy

# Enable Windows Hello for Business
$whfbPolicy = @{
    "@odata.type" = "#microsoft.graph.windowsHelloForBusinessAuthenticationMethodConfiguration"
    state = "enabled"
    pinMinimumLength = 6
    pinMaximumLength = 127
    pinLowercaseCharactersUsage = "allowed"
    pinUppercaseCharactersUsage = "allowed"
    pinSpecialCharactersUsage = "allowed"
    securityKeyForSignIn = "enabled"
    includeTargets = @(
        @{
            targetType = "group"
            id = "all_users"
        }
    )
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "windowsHelloForBusiness" `
    -BodyParameter $whfbPolicy

Write-Host "Passwordless authentication methods enabled successfully"

Step 2: Configure Authentication Strength Conditional Access

Create Conditional Access policies requiring phishing-resistant authentication:

# Create custom authentication strength for phishing-resistant MFA
$authStrength = @{
    displayName = "Phishing-Resistant Passwordless"
    description = "Requires FIDO2, WHfB, or certificate-based authentication"
    allowedCombinations = @(
        "fido2",
        "windowsHelloForBusiness",
        "x509CertificateMultiFactor"
    )
    requirementsSatisfied = "mfa"
}
$strengthPolicy = New-MgPolicyAuthenticationStrengthPolicy -BodyParameter $authStrength

# Create Conditional Access policy requiring phishing-resistant auth
$caPolicy = @{
    displayName = "Require Phishing-Resistant Auth for All Apps"
    state = "enabledForReportingButNotEnforced"  # Start in report-only
    conditions = @{
        users = @{
            includeUsers = @("All")
            excludeGroups = @("Passwordless-Exclusion-Group")
        }
        applications = @{
            includeApplications = @("All")
        }
        clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    grantControls = @{
        operator = "OR"
        authenticationStrength = @{
            id = $strengthPolicy.Id
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $caPolicy

# Create stricter policy for admin portals
$adminPolicy = @{
    displayName = "Require Security Key for Admin Access"
    state = "enabled"
    conditions = @{
        users = @{
            includeRoles = @(
                "62e90394-69f5-4237-9190-012177145e10",  # Global Admin
                "194ae4cb-b126-40b2-bd5b-6091b380977d",  # Security Admin
                "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",  # SharePoint Admin
                "29232cdf-9323-42fd-ade2-1d097af3e4de"   # Exchange Admin
            )
        }
        applications = @{
            includeApplications = @(
                "797f4846-ba00-4fd7-ba43-dac1f8f63013",  # Azure Portal
                "00000006-0000-0ff1-ce00-000000000000",  # Microsoft 365 Admin
                "0000000a-0000-0000-c000-000000000000"   # Entra Admin Center
            )
        }
    }
    grantControls = @{
        operator = "OR"
        authenticationStrength = @{
            id = $strengthPolicy.Id
        }
    }
    sessionControls = @{
        signInFrequency = @{
            value = 4
            type = "hours"
            isEnabled = $true
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $adminPolicy

Step 3: Deploy Windows Hello for Business via Intune

Configure WHfB deployment through Microsoft Intune MDM:

# Create Windows Hello for Business configuration profile in Intune
$whfbProfile = @{
    "@odata.type" = "#microsoft.graph.windowsIdentityProtectionConfiguration"
    displayName = "WHfB - Enterprise Deployment"
    description = "Windows Hello for Business configuration for all managed devices"
    useSecurityKeyForSignin = $true
    windowsHelloForBusinessBlocked = $false
    pinMinimumLength = 6
    pinMaximumLength = 127
    pinUppercaseCharactersUsage = "allowed"
    pinLowercaseCharactersUsage = "allowed"
    pinSpecialCharactersUsage = "allowed"
    enhancedAntiSpoofingForFacialFeaturesEnabled = $true
    pinRecoveryEnabled = $true
    securityDeviceRequired = $true  # Require TPM
    unlockWithBiometricsEnabled = $true
    useCertificatesForOnPremisesAuthEnabled = $true  # For hybrid scenarios
    # Cloud Kerberos Trust for hybrid join (recommended over key trust)
    windowsHelloForBusinessAuthenticationMethod = "cloudKerberosTrust"
}

# Create the configuration profile
$profile = New-MgDeviceManagementDeviceConfiguration -BodyParameter $whfbProfile

# Assign to all Windows devices
$assignment = @{
    target = @{
        "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget"
    }
}
New-MgDeviceManagementDeviceConfigurationAssignment `
    -DeviceConfigurationId $profile.Id `
    -BodyParameter $assignment

# Configure Cloud Kerberos Trust (for hybrid Azure AD joined devices)
# This eliminates the need for PKI infrastructure
# Requires Azure AD Kerberos module

Import-Module AzureADHybridAuthenticationManagement

# Create Azure AD Kerberos Server object in on-premises AD
$domain = "corp.local"
$cloudCredential = Get-Credential -Message "Enter Azure AD Global Admin credentials"
$domainCredential = Get-Credential -Message "Enter on-premises Domain Admin credentials"

Set-AzureADKerberosServer `
    -Domain $domain `
    -CloudCredential $cloudCredential `
    -DomainCredential $domainCredential

# Verify Kerberos Server object
Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCredential `
    -DomainCredential $domainCredential

Write-Host "Cloud Kerberos Trust configured for hybrid WHfB deployment"

Step 4: Register FIDO2 Security Keys for Users

Implement security key registration workflow:

# Bulk FIDO2 security key registration via Temporary Access Pass
# Step 1: Issue Temporary Access Pass for key registration

function Issue-TemporaryAccessPass {
    param(
        [string]$UserId,
        [int]$LifetimeMinutes = 60,
        [bool]$IsUsableOnce = $true
    )

    $tap = @{
        "@odata.type" = "#microsoft.graph.temporaryAccessPassAuthenticationMethod"
        lifetimeInMinutes = $LifetimeMinutes
        isUsableOnce = $IsUsableOnce
    }

    $result = New-MgUserAuthenticationTemporaryAccessPassMethod `
        -UserId $UserId `
        -BodyParameter $tap

    return @{
        UserId = $UserId
        TemporaryAccessPass = $result.TemporaryAccessPass
        ExpiresAt = $result.CreatedDateTime.AddMinutes($LifetimeMinutes)
    }
}

# Bulk issue TAPs for security key registration event
$registrationUsers = Import-Csv "security_key_registration_list.csv"

$tapResults = foreach ($user in $registrationUsers) {
    $tap = Issue-TemporaryAccessPass -UserId $user.UserPrincipalName
    [PSCustomObject]@{
        User = $user.UserPrincipalName
        TAP = $tap.TemporaryAccessPass
        Expires = $tap.ExpiresAt
        KeySerial = $user.AssignedKeySerial
    }
}

# Export TAPs for secure distribution to registration team
$tapResults | Export-Csv "tap_assignments.csv" -NoTypeInformation

# Monitor FIDO2 registration progress
function Get-Fido2RegistrationStatus {
    $allUsers = Get-MgUser -All -Property "id,userPrincipalName,department"

    $registrationStatus = foreach ($user in $allUsers) {
        $methods = Get-MgUserAuthenticationFido2Method -UserId $user.Id

        [PSCustomObject]@{
            UserPrincipalName = $user.UserPrincipalName
            Department = $user.Department
            Fido2KeyCount = $methods.Count
            KeyModels = ($methods.Model -join ", ")
            RegistrationDates = ($methods.CreatedDateTime -join ", ")
            HasBackupKey = $methods.Count -ge 2
        }
    }

    return $registrationStatus
}

$status = Get-Fido2RegistrationStatus
$total = $status.Count
$registered = ($status | Where-Object { $_.Fido2KeyCount -gt 0 }).Count
$withBackup = ($status | Where-Object { $_.HasBackupKey }).Count

Write-Host "FIDO2 Registration Progress"
Write-Host "  Total Users: $total"
Write-Host "  Registered:  $registered ($([math]::Round($registered/$total*100,1))%)"
Write-Host "  With Backup: $withBackup ($([math]::Round($withBackup/$total*100,1))%)"

Step 5: Disable Legacy Authentication Methods

Phase out phishable authentication factors:

# Disable SMS and voice call authentication
$smsPolicy = @{
    "@odata.type" = "#microsoft.graph.smsAuthenticationMethodConfiguration"
    state = "disabled"
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "sms" `
    -BodyParameter $smsPolicy

$voicePolicy = @{
    "@odata.type" = "#microsoft.graph.voiceAuthenticationMethodConfiguration"
    state = "disabled"
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "voice" `
    -BodyParameter $voicePolicy

# Block legacy authentication protocols via Conditional Access
$blockLegacyPolicy = @{
    displayName = "Block Legacy Authentication"
    state = "enabled"
    conditions = @{
        users = @{ includeUsers = @("All") }
        applications = @{ includeApplications = @("All") }
        clientAppTypes = @(
            "exchangeActiveSync",
            "other"
        )
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("block")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $blockLegacyPolicy

# Audit users still using legacy authentication
$legacyAuthReport = Get-MgAuditLogSignIn -Filter "clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" `
    -Top 1000 | Group-Object userPrincipalName | Select-Object Count, Name |
    Sort-Object Count -Descending

Write-Host "Users with Legacy Auth (last 30 days):"
$legacyAuthReport | Format-Table -AutoSize

Step 6: Monitor Passwordless Adoption Metrics

Track deployment progress and authentication method usage:

# Generate passwordless adoption dashboard data
function Get-PasswordlessAdoptionMetrics {
    # Authentication method registration statistics
    $registrationReport = Get-MgReportAuthenticationMethodUserRegistrationDetail -All

    $metrics = @{
        TotalUsers = $registrationReport.Count
        PasswordlessCapable = ($registrationReport | Where-Object { $_.IsPasswordlessCapable }).Count
        MfaRegistered = ($registrationReport | Where-Object { $_.IsMfaRegistered }).Count
        Fido2Registered = ($registrationReport | Where-Object { "fido2" -in $_.MethodsRegistered }).Count
        WhfbRegistered = ($registrationReport | Where-Object { "windowsHelloForBusiness" -in $_.MethodsRegistered }).Count
        AuthenticatorRegistered = ($registrationReport | Where-Object { "microsoftAuthenticator" -in $_.MethodsRegistered }).Count
        SmsOnly = ($registrationReport | Where-Object {
            "sms" -in $_.MethodsRegistered -and
            "fido2" -notin $_.MethodsRegistered -and
            "windowsHelloForBusiness" -notin $_.MethodsRegistered
        }).Count
    }

    # Authentication method usage from sign-in logs
    $signInLogs = Get-MgAuditLogSignIn -Top 10000 -Filter "createdDateTime ge $((Get-Date).AddDays(-30).ToString('yyyy-MM-ddTHH:mm:ssZ'))"

    $authMethodUsage = $signInLogs |
        Group-Object { $_.AuthenticationMethodsUsed -join "," } |
        Select-Object Count, Name | Sort-Object Count -Descending

    return @{
        Registration = $metrics
        Usage = $authMethodUsage
    }
}

$adoption = Get-PasswordlessAdoptionMetrics
$reg = $adoption.Registration

Write-Host "PASSWORDLESS ADOPTION REPORT"
Write-Host "============================"
Write-Host "Total Users:              $($reg.TotalUsers)"
Write-Host "Passwordless Capable:     $($reg.PasswordlessCapable) ($([math]::Round($reg.PasswordlessCapable/$reg.TotalUsers*100,1))%)"
Write-Host "  FIDO2 Keys:             $($reg.Fido2Registered)"
Write-Host "  Windows Hello:          $($reg.WhfbRegistered)"
Write-Host "  Authenticator:          $($reg.AuthenticatorRegistered)"
Write-Host "MFA Registered:           $($reg.MfaRegistered) ($([math]::Round($reg.MfaRegistered/$reg.TotalUsers*100,1))%)"
Write-Host "SMS Only (needs upgrade): $($reg.SmsOnly)"

Key Concepts

Term	Definition
FIDO2	Fast Identity Online 2 standard enabling passwordless authentication using public-key cryptography bound to hardware authenticators or platform credentials
Passkey	FIDO2 credential that can be device-bound (security key) or synced across devices, providing phishing-resistant authentication without passwords
Windows Hello for Business	Windows platform authenticator using PIN, fingerprint, or facial recognition backed by TPM-protected asymmetric keys for passwordless sign-in
Cloud Kerberos Trust	Deployment model for hybrid WHfB that uses Azure AD Kerberos to authenticate to on-premises resources without requiring PKI certificate infrastructure
Temporary Access Pass	Time-limited passcode issued by admins enabling users to register passwordless methods or recover access when their primary method is unavailable
Authentication Strength	Conditional Access capability in Microsoft Entra that specifies which authentication method combinations satisfy MFA requirements for a given policy

Tools & Systems

Microsoft Entra Admin Center: Portal for configuring authentication methods, Conditional Access policies, and monitoring sign-in analytics
Microsoft Intune: MDM/MAM platform for deploying Windows Hello for Business configuration profiles to managed devices
Microsoft Graph API: Programmatic interface for managing authentication methods, policies, and generating adoption reports
FIDO2 Security Keys: Hardware authenticators (YubiKey, Feitian, Google Titan) storing cryptographic credentials for phishing-resistant authentication

Common Scenarios

Scenario: Enterprise-Wide Passwordless Migration

Context: Organization with 5,000 users plans to eliminate passwords within 12 months after experiencing a phishing attack that compromised 47 accounts. Current state: 60% use SMS MFA, 30% use Authenticator app, 10% have no MFA.

Approach:

Phase 1 (Month 1-2): Enable FIDO2 and WHfB authentication methods in report-only Conditional Access
Phase 2 (Month 2-3): Deploy WHfB to all managed Windows devices via Intune with Cloud Kerberos Trust
Phase 3 (Month 3-5): Distribute FIDO2 security keys to executives, IT admins, and finance (highest-risk users first)
Phase 4 (Month 5-8): Enable Authenticator passkeys for mobile-primary users and field workers
Phase 5 (Month 8-10): Switch Conditional Access from report-only to enforced for phishing-resistant auth
Phase 6 (Month 10-12): Disable SMS and voice call methods, block legacy authentication protocols
Ongoing: Monitor adoption metrics, issue TAPs for stragglers, maintain break-glass accounts

Pitfalls:

Not deploying Cloud Kerberos Trust causes WHfB to fail for on-premises resource access in hybrid environments
Enforcing passwordless without ensuring all applications support modern authentication breaks access
Issuing only one security key per user without a backup creates lockout risk if the key is lost
Not configuring Temporary Access Pass as a recovery method before disabling password-based sign-in

Output Format

PASSWORDLESS AUTHENTICATION DEPLOYMENT REPORT
================================================
Tenant:            corp.onmicrosoft.com
Users:             5,247
Deployment Phase:  Phase 4 (Authenticator Passkeys)

AUTHENTICATION METHOD REGISTRATION
Passwordless Capable:    4,103 / 5,247 (78.2%)
  FIDO2 Security Keys:   892 (17.0%)
  Windows Hello:          2,847 (54.3%)
  Authenticator Passkey:  1,234 (23.5%)
  Certificate-Based:      312 (5.9%)

LEGACY METHOD STATUS
SMS-Only Users:          387 (7.4%) -- migration in progress
Voice-Only Users:        0 (disabled)
No MFA Users:            42 (0.8%) -- TAPs issued

CONDITIONAL ACCESS
Phishing-Resistant Policy:  ENFORCED (all users except exclusion group)
Legacy Auth Block:          ENABLED
Admin Portal Policy:        SECURITY KEY REQUIRED

SIGN-IN ANALYTICS (Last 30 Days)
Total Sign-Ins:          847,293
  Passwordless:          623,891 (73.6%)
  Password + MFA:        198,402 (23.4%)
  Password Only:         0 (blocked)
  Legacy Protocol:       0 (blocked)

SECURITY IMPACT
Phishing Incidents:      0 (down from 47 pre-deployment)
Password Reset Tickets:  -82% reduction
Avg Sign-In Time:        8.2s (passwordless) vs 24.1s (password)

Info

Category Development

Name implementing-passwordless-auth-with-microsoft-entra

Version v20260317

Size 14.3KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18