Contact Us

How To Go Fully Passwordless in Azure AD (Entra ID)

How To Go Fully Passwordless in Azure AD (Entra ID) with FIDO2 and Azure CBA - create passwordless users in Azure AD
11 Aug 2023

How To Go Fully Passwordless in Azure AD - Passwordless Setup Guide (Without TAP)


As you know, there are 3 passwordless authentication methods: FIDO2, SmartCard, and Microsoft Authenticator App. While all three are a great step forward from passwords, the Authenticator app is not fully unphishable since users can be vulnerable to push notification fatigue; unfortunately, though Microsoft has implemented some measures such as number matching, it is still susceptible to social engineering. While it has its vulnerabilities, it is still a great option if budget does not allow you to get hardware tokens for your whole organization. Then we have FIDO2 and SmartCard, which for users are very similar since they both use a hardware key and a pin or biometric check. There are some minor differences between smartcard and FIDO2 but in the big picture, security-wise they are the same. To learn more about the difference between all three methods I recommend watching the webinar below where we go in more detail into the differences.


Which Azure AD Passwordless Authentication Methods Do We Recommend?

Each of the three passwordless methods have their strengths and weaknesses. If you’re on a tight budget, phone authentication might seem appealing – it’s cost-friendly, but on the flip side, it isn’t the most secure. It’s a good fit if you’re working with limited resources or in situations where top-tier security isn’t the primary focus. On the hardware token front, if you can only use one, we would recommend smartcard authentication since it is compatible with new technology (while Microsoft has been pushing FIDO2 authentication, it is still not compatible with many cloud management tools such as Azure PowerShell, and MSAL applications) as well as legacy on premise systems; however, the perfect setup (and what we use at Keytos) is having FIDO2 and smartcard in the same token. Using a modern CMS such as EZCMS allows you to seamlessly onboard users to both FIDO2 and smartcard identities and the OS will automatically use the best option for each scenario.


Windows Hello For Business

When listing the passwordless authentication methods you probably noticed I did not mention the most popular one: Windows Hello For Business (WH4B), The reason for not mentioning Windows Hello For Business is because it cannot be used for bootstrapping new devices; let’s say you have WH4B in your PC, you cannot use that identity to enroll your phone to Intune. Hence, it is a great option as a secondary passwordless authentication method; for example, you have your YubiKey that you use for onboarding new devices or when you need to authenticate in another device but use Windows Hello for day-to-day authentication in your work computer.



Passwordless Authentication Onboarding Experience

Unfortunately, Microsoft does not have an option for self-service passwordless onboarding for users;, the closest you can get to it is having your IT team create a TAP and sending it to a user. Unfortunately, the TAP is not a multifactor authentication method, it is just a fancy term Microsoft created for a one-time password; also having your IT team distributing TAPs opens the door for social engineering attacks. To have a truly passwordless onboarding experience, we use EZCMS, the first passwordless onboarding CMS for Azure. In this blog I am not going to cover how to set EZCMS in Azure, but you can follow the instructions in this video playlist.

The advantages of EZCMS are:

  1. - Takes care of the complex PKI setup and Management.

  2. - Enables Self Service Onboarding (even solving the chicken-and-egg problem of how you authenticate a user before they have an online identity for remote users).

  3. - Enables Self Service account recovery, reducing password reset calls by up to 92%.

  4. - Takes care of the logistics of requesting and shipping the hardware tokens around the world.

  5. - Seamless onboarding to FIDO2 and Smartcard onboarding, making it transparent to the user.

Check out the user experience below for a simplified view of the whole onboarding process.

What Happens If I Lose My YubiKey

When talking to organizations that are planning to implement passwordless authentication, the first question that comes up is what happens if I lose my YubiKey. While this might sound like a scary scenario, with the proper design it is a non-issue.

Can a Person Use My Lost YubiKey

First let’s start with what happens to that YubiKey, the cryptographic keys are protected by a pin than after a few tries it will be blocked and will not be able to be used by the person that stole the YubiKey, secondly, if you are using a CMS, you report the YubiKey as lost and the CMS will contact your identity provider to revoke the FIDO2 keys as well as any certificate in that YubiKey (this is a very important reason why it is important to have a CMS instead of manually onboarding your hardware tokens).

How can I Maintain Access After I Lost My YubiKey

As previously mentioned, it is recommended to have a secondary authentication method in case your YubiKey is lost. Yubico obviously recommends having an extra YubiKey for you to authenticate if the first one is lost. However, there are other ways to do this without 2xing your hardware budget. Another device such as a laptop with Windows Hello for Business or a phone with Microsoft Authenticator App can work as a temporary smartcard while you get a new YubiKey from your organization. Once you get the new YubiKey you can either use your secondary factor to enroll your new YubiKey or if you have a CMS such as EZCMS you can you your Government ID and face to register your new YubiKey.


How to Create Azure AD (Entra ID) Users Without a Password

Unfortunately, Microsoft Entra ID (Azure AD) does not support users without passwords. Instead, we recommend creating user accounts with a random long password that is not saved anywhere, having the user signup using a passwordless CMS, and setting up conditional access to require a passwordless authentication method. This last step ensures that even if a hacker guesses that random password, they will not be able to access without a passwordless method.


Azure CBA Smartcard infrastructure requirements

Creating Accounts with Random Passwords in Azure

Each organization might have their own user creation method. However, I wanted to share with you a quick PowerShell script that can help you create users with random passwords from a CSV.

Sample CSV


GivenName,Surname,UserPrincipalName,UsageLocation,City,State,Country,Department,JobTitle,MobilePhone 

Richard,Hendricks,richard.hendricks@piedpiper.com,US,Palo Alto,CA,USA,Engineering,CEO,123-456-7890 

Dinesh,Chugtai,dinesh.chugtai@piedpiper.com,US,Palo Alto,CA,USA,Engineering,Developer,123-456-7891 

Bertram,Gilfoyle,bertram.gilfoyle@piedpiper.com,US,Palo Alto,CA,USA,Engineering,Developer,123-456-7892 

Create Users with Random PowerShell Script


    
# Connect to Azure AD 

Connect-AzureAD  

  

# Path to the CSV file 

$csvPath = "C:\path\to\yourfile.csv" 

  

# Function to generate a random password 

function GenerateRandomPassword { 

    param ( 

        [int]$length = 32 

    ) 

  

    $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()-_=+" 

    $password = -join ($chars.ToCharArray() | Get-Random -Count $length) 

    return $password 

} 

  

# Read the CSV and loop through each user 

Import-Csv -Path $csvPath | ForEach-Object { 

    $password = GenerateRandomPassword 

  

    # Create the new user in Azure AD 

    New-AzureADUser -DisplayName "$($_.GivenName) $($_.Surname)" -GivenName $_.GivenName -Surname $_.Surname -UserPrincipalName $_.UserPrincipalName -PasswordProfile (New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile -Property @{forceChangePasswordNextLogin=$false;password=$password}) -MailNickName "$($_.GivenName).$($_.Surname)" -UsageLocation $_.UsageLocation -City $_.City -State $_.State -Country $_.Country -Department $_.Department -JobTitle $_.JobTitle  

  

    # Output password to the console (for testing purposes) 

    Write-Output ("User: " + $_.UserPrincipalName + " Created ") 

} 

  

# Disconnect from Azure AD 

Disconnect-AzureAD 



Getting Started with Passwordless Authentication

If you are ready to go passwordless, schedule a meeting with our identity experts and get started today!

You Might Also Want to Read