This week, Microsoft announced the availability of Passwordless Phone Sign-in for multiple Work or School accounts in the Microsoft Authenticator app on Apple iOS-based devices.

For the Public Preview of this feature, meet the following requirements to be able to use the Authenticator App for Passwordless Sign-ins to multiple Work or School accounts during the Public Preview stage:

Note:
Requirements may change between the Public Preview and General Availability for this feature. Also, Microsoft can choose to pull back this feature when it no longer fits its roadmap or when it poses security and/or scalability risks.

iOS Device settings

Meet the following requirements when it comes to the iOS-based device you use:

Password

The iOS device needs to require a password, Touch ID or Face ID to unlock the device.

Authenticator App

Install Microsoft Authenticator v6.5.99, or above on an Apple device that runs iOS v12, or up. If the Microsoft Authenticator app is already installed, ensure that its version is at least v6.5.99.

To determine the version, perform these steps:

• Open the Authenticator app on the iOS device.
  Unlock the app using biometrics or PIN, if the app is protected.
• In the left top corner click the menu.
• From the menu, click Help.
• In the About section of help topics, the Version field indicates the version of the installed Microsoft Authenticator app.

Enable the option for Microsoft to collect use data.

Perform these steps to do so:

• Open the Authenticator app on the iOS device..
• Unlock the app using biometrics or PIN, if the app is protected.
• In the left top corner click the menu.
• From the menu, click Settings.
• In the Usage data section of settings, enable the Allow Microsoft to gather non-personally identifiable usage data to improve the app. Learn more in the FAQs available under the Help menu. option.

Azure AD registration

After installation of the Microsoft Authenticator app, the iOS-based device needs to be registered to the Azure AD tenants that host each work or school account that you want to use for Passwordless Phone Sign-in.

Perform these steps to register an iOS device to an Azure AD tenant:

• Open the Authenticator app on the iOS device.
  Unlock the app using biometrics or PIN, if the app is protected.
• In the left top corner click the menu.
• From the menu, click Settings.
• Click Device Registration.
• The Device Registration page shows all Azure AD tenants the device is registered to.
  Determine the Azure AD tenants the device is registered with. Click the + in the top right corner to add an Azure AD tenant to the list.
• Provide the email address for the work or school account in the Azure AD tenant.
• Click Register.
• In the sign-in experience provide the means to perform multi-factor authentication.
• The list on the Device Registration page now shows the Azure AD tenant you added.

Azure AD settings

Meet the following requirements when it comes to each of the Azure AD tenants that host each work or school account that you want to use for Passwordless Phone Sign-in:

Combined Security Information

The Users can use the combined security information registration experience option needs to be enabled in Azure AD (for at least the persons in scope for this feature).

To check and/or enable this setting, perform the following steps:

• Sign in to the Azure AD Portal with an account that has the Global administrator role or the User administrator role.
• Perform multi-factor authentication, if prompted.
• If the Azure AD tenant is configured with Azure AD Privileged Identity Management (PIM) and the Global administrator or User administrator role require elevation, perform the steps and provide the required information to elevate the role.
• In the left navigation pane, click Azure Active Directory.
• In Azure Active Directory's navigation menu, click User settings.
• On the User settings page in the main pane, follow the Manage user preview settings link.
• Enable the Users can use the combined security information registration experience option, by selecting All for all users, or Selected to select a group in scope for this feature. If you selected Selected specify a group to scope the feature.
• Click Save at the top of the pane.

Note:
This setting will be automatically enabled for All in Azure AD tenants starting September 30th, 2022.

Authentication Method settings

The Microsoft Authenticator authentication method needs to be enabled in Azure AD (for at least the persons in scope for this feature).

To check and/or enable the authentication method, perform the following steps:

• Sign in to the Azure AD Portal with an account that has the Global administrator role or the Authentication Policy administrator role.
• Perform multi-factor authentication, if prompted.
• If the Azure AD tenant is configured with Azure AD Privileged Identity Management (PIM) and the Global administrator or Authentication Policy administrator role require elevation, perform the steps and provide the required information to elevate the role.
• In the left navigation pane, click Azure Active Directory.
• In Azure Active Directory's navigation menu, click Security.
• In the Security navigation menu, click Authentication Methods. The Policies menu item in the Authentication Methods' menu is selected, by default.
• In the main pane, click the Microsoft Authenticator policy.
• In the Basics section, select Yes for the Enable option, to enable the authentication method.
• In the Target section, select All users or Select users. If you select Select users, specifu a group to scope the feature.
• The selected group appears underneath the Target option. Click the kebab menu at the end of the group and select Configure from the context menu. Ensure that Authentication mode is set to Any or Passwordless.

Account settings

The Work or School accounts that will be used with Passwordless sign-in will need to have Azure multi-factor authentication registered. When multi-factor authentication is not registered for the account, visit aka.ms/mfasetup to configure it for the account.