Hey everyone! I'm a sysadmin at a mid-sized company with a hybrid Microsoft setup, where our on-prem Active Directory is synced with Entra (Azure AD). My boss is interested in making the switch to passwordless or passkey logins for users accessing their laptops. We're particularly leaning towards using the Microsoft Authenticator app for push sign-ins, where users can either hit 'Accept' or enter a PIN to unlock their devices.
I have a few questions for anyone who's been down this road:
- Has anyone successfully implemented passwordless phone sign-in using Microsoft Authenticator in a hybrid environment?
- Did you face any challenges with Hybrid Azure AD Join as opposed to native Entra ID Join?
- How was the rollout? What was user adoption like? Did anyone push back against using their phones for this?
- Are you using other methods alongside this, like Windows Hello for Business or FIDO2 keys, or have you gone all-in on the Authenticator?
I'd love to hear your real-world experiences before we make any commitments. Thanks for any advice, lessons learned, or pitfalls to avoid!
6 Answers
I've implemented Windows Hello for Business (WHfB) in a similar setup and it works great! Microsoft primarily supports WHfB, and once you get everything configured, you can go fully passwordless. It's especially effective with cloud trust, so if your compliance allows, that's the way to go. I haven’t heard of a seamless way to use Microsoft Authenticator for push notifications at the desktop level, but I did explore alternatives like OpenOTP and FortiAuthenticator. I think those are overkill if you're just trying to bridge back to Microsoft.
We use YubiKeys as part of our MFA setup, and it's been pretty smooth sailing – both on hybrid and full Entra setups. Users sign in with a PIN and touch the key. Just a heads up, though, activating passwordless policies removes some traditional key providers and basic auth prompts won't work in Edge if you go that route. Also, we’ve configured our policies to eliminate non-essential login methods like smart cards.
For designated devices, we use WHfB, and for shared devices, we go with Security keys. With hybrid users, you can implement some fun security features like SCRIL for rotating NTLM secrets to enhance security. I have mine set to rotate passwords every 24 hours automatically! It's a bit tricky but adds an extra layer of safety.
If WHfB isn't your thing, maybe look into UserLock as an alternative. It's designed for situations similar to yours, and it could fit your needs without diving into WHfB.
Our setup is pretty much what you're looking at, with on-prem AD synced to Azure and no write-back, so AD is the primary source. We set up Hello for Business and it allows biometric and PIN sign-ins, integrating well with Microsoft Authenticator for 2FA. Once people got used to it, most of our staff forgot about their passwords! We still have to use passwords on rare occasions, like for new devices, but overall, the feedback on usability has been excellent. Just make sure to get everyone IR-enabled webcams for easier biometric logins! 😂
You should definitely check out Web Sign-In for passwordless login, but keep in mind you can't use it with Hybrid Devices. My advice would be to push for WHfB and set up Cloud Kerberos Trust instead of staying Hybrid. WHfB is more secure and resilient against phishing attacks compared to using an authenticator alone.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures