Back to Blog
Azure
4 min read

Implementing Passwordless Authentication in Microsoft 365

AzureEntra IDSecurityPasswordlessAuthentication

"We've enabled Windows Hello for Business in Intune, but users can still sign in with passwords. What are we missing?"

This is the most common passwordless question we get. The answer: you've configured the device side, but not the identity side.

The Two Halves of Passwordless

Windows Hello on devices (Intune) and Authentication Methods in Entra ID are separate configurations:

What you typically have:

  • Intune: Windows Hello for Business enabled
  • TPM enabled on devices
  • Devices Entra-joined or Hybrid-joined

What you're missing:

  • Entra ID Authentication Methods Policy
  • Conditional Access with Authentication Strength

Windows Hello being available doesn't mean passwords are blocked. You need Conditional Access to enforce passwordless.

Step 1: Enable Authentication Methods

In Entra ID, go to Security → Authentication methods → Policies.

Enable the methods you want:

Windows Hello for Business:

  • State: Enabled
  • Target: All users (or start with a pilot group)

FIDO2 Security Key:

  • State: Enabled
  • Target: Pilot group (expand later)
  • Key restrictions: Optional (limit to specific vendors)

Microsoft Authenticator:

  • State: Enabled
  • Passwordless sign-in: Enabled

Step 2: Check with PowerShell

Verify the configuration:

Connect-MgGraph -Scopes "Policy.Read.All"

# Check FIDO2 Policy
$fido2 = Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2"

Write-Host "FIDO2 State: $($fido2.state)"
$fido2.includeTargets | ForEach-Object {
    Write-Host "  Target: $($_.targetType) - $($_.id)"
}

Step 3: Conditional Access for Enforcement

This is the key step. Create a Conditional Access policy:

Name: Require Passwordless MFA

Assignments:

  • Users: All users (exclude break-glass accounts)
  • Cloud apps: All cloud apps
  • Conditions: None (apply everywhere)

Access controls:

  • Grant: Require authentication strength
  • Authentication strength: Passwordless MFA

This blocks password authentication entirely. Users must use Windows Hello, FIDO2 key, or passwordless Authenticator.

Zero-Password User Onboarding

The ultimate goal: new users never have a password.

  1. Admin creates user account - Set a random password (never shared)
  2. Admin generates Temporary Access Pass - 8 hours validity
  3. Send TAP to user via secure channel (phone call, in-person)
  4. User signs in with TAP → Prompted to register Windows Hello/Passkey
  5. TAP expires - User can only use registered passwordless methods
  6. Conditional Access blocks password auth - Even if they knew the password

Result: Zero passwords created, zero passwords used.

Check User's Registered Methods

See what authentication methods a user has registered:

Get-MgUserAuthenticationMethod -UserId "[email protected]" |
  Select-Object @{N='Method';E={$_.AdditionalProperties.'@odata.type'}}

Expected output for passwordless users:

  • #microsoft.graph.windowsHelloForBusinessAuthenticationMethod
  • #microsoft.graph.fido2AuthenticationMethod

The AVD Caveat

If you're using Azure Virtual Desktop with FSLogix profile containers on Azure Files, there's a catch:

FSLogix with Entra Kerberos requires hybrid user identities - accounts synced from on-premises AD. Cloud-only users are NOT supported for this scenario.

If you have cloud-only users needing AVD with FSLogix, you'll need to either:

  • Sync those users from on-prem AD
  • Use a different profile solution
  • Accept that those users need passwords (for now)

Rollout Strategy

  1. Pilot group - 10-20 users, IT team
  2. Enable methods - Windows Hello, FIDO2, Authenticator
  3. Register devices - Ensure pilot users have enrolled methods
  4. Conditional Access (Report-only) - See who would be blocked
  5. Conditional Access (Enforced) - Block password auth for pilot
  6. Expand gradually - Department by department
  7. New user default - TAP onboarding for all new users

Monitoring

Track adoption in Entra ID:

Authentication methods activity:

  • Security → Authentication methods → Activity

Sign-in logs:

  • Filter by authentication method to see what's being used

User registration:

  • Security → Authentication methods → User registration details

Need help implementing passwordless authentication? Get in touch - we help organisations move beyond passwords.

Previous
How We Use AI Tools Like Claude to Deliver Infrastructure Work Faster
Next
Building a WAF Monitoring Workbook with KQL

Need help with your Azure environment?

Get in touch for a free consultation.

Get in Touch