Microsoft Rolls Out Passwordless Policy for Entra ID-Joined Windows 11 Devices

The passwordless capability was enabled by a September update.

Microsoft suggested this week that organizations with Entra ID-joined Windows 11 devices can now switch them over to passwordless authentications using a new policy option.

The ability to go passwordless with these devices commenced via a "September 2023 update for Windows 11, version 22H2," the announcement indicated. With that update, these Entra ID-joined devices can switch to a passwordless approach after being enabled by a policy change. Organizations can use Microsoft Intune or another mobile device management solution to set the policy.

Here's Microsoft's statement to that effect:

Commercial organizations can now set the EnablePasswordlessExperience MDM policy from Intune or another MDM to enable a fully passwordless user experience on Microsoft Entra ID joined [Windows 11] machines.

By passwordless, Microsoft means that users so switched won't see a password prompt at all after the policy has been applied. The password prompt will be absent when signing into a device's lock screen. It also won't be there for "in-session auth scenarios like password managers in a web browser, 'Run as' admin scenarios, and User Account Control (UAC)," the announcement explained.

Also, the Windows 11 Settings app won't show the "Change password" option after the passwordless policy has been applied. Instead, passwords can get changed, if wanted, via the Ctrl + Alt + Del key press, Microsoft indicated, in this document.

After the passwordless policy is applied, users will see initial authentication options as "security key, pin, Windows Hello, and fingerprint." Organizations can use phishing-resistant approaches, such as FIDO2 keys or Windows Hello for Business, which is Microsoft's biometric (face scan) authentication scheme.

Organizations going passwordless have options should a user fail to authenticate. "If the user fails to sign in, recovery mechanisms such as PIN reset or Web sign-in can be used to help the user recover their credentials without IT helpdesk engagement," the announcement indicated.

Microsoft's Sept. 2023 update to Windows 11 version 22H2 also ushered in the ability for Entra ID-joined devices to use a "Web sign-in" feature, as explained in this document. It permits users to "sign in with the Microsoft Authenticator app or with a SAML-P federated identity."

Microsoft's had already enabled consumer Microsoft account users to go passwordless, and now organizations using Entra ID-joined Windows 11 can do the same. Microsoft had announced its passwordless option for consumer Microsoft account users back in 2021.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube