Step-by-step configuration guide: Authenticator-based passwordless on shared Windows devices

Before you start

Required roles

You will typically need one of these Entra roles to configure authentication methods:

• Authentication Policy Administrator (recommended)
• Authentication Administrator (for issuing TAP and managing methods)

Microsoft explicitly calls out these admin center paths and role expectations in their method configuration docs. (Microsoft Learn)

Device prerequisites

• Windows 11, version 22H2 or later is strongly recommended for Web sign-in. Microsoft notes Web sign-in availability starting Windows 11 22H2 with KB5030310. (Microsoft Learn)
• Devices should be Entra joined for the cleanest passwordless experience.

---

Architecture choices

You have two realistic patterns:

1. Authenticator passwordless / passkeys (preferred)
   Best security posture; best long-term direction. (Microsoft Learn)
2. Web sign-in (useful for shared devices, but typically a secondary path)
   Practical for certain shared device workflows, but can be slower and more “web flow” than native. (Microsoft Learn)

You can enable both and choose which one you enforce via Conditional Access.

---

Part A: Enable Microsoft Authenticator passwordless in Entra ID

Step A1: Enable Microsoft Authenticator as an authentication method

1. Open Microsoft Entra admin center
2. Go to: Entra ID → Protection → Authentication methods
3. Select Microsoft Authenticator
4. Set the policy to Enabled for the target users/groups

Microsoft documents Authenticator as supporting passwordless sign-in and passkeys. (Microsoft Learn)

---

Step A2: Confirm “System-preferred MFA” is Microsoft-managed

1. In Entra admin center go to: Entra ID → Authentication methods → Settings
2. Verify System-preferred multifactor authentication (MFA) is enabled and set to Microsoft-managed (system preferred)

This setting is explicitly described in Microsoft’s “system-preferred MFA” documentation and referenced in the community discussion. (Microsoft Learn)

---

Step A3: User enrollment flow for Authenticator passwordless

You need to get users enrolled properly (this is where many deployments stall).

User steps (standard)

1. User goes to Security info (My Sign-ins / Security info page)
2. Register Microsoft Authenticator as a sign-in method
3. On the phone, open Microsoft Authenticator → enable Passwordless sign-in for the account

Microsoft documents these exact high-level steps. (Microsoft Learn)

---

Part B: Bootstrap shared-device users with Temporary Access Pass (TAP)

For shared devices, TAP is often the cleanest way to avoid passwords during first-time setup.

Step B1: Enable the TAP method in Entra (tenant policy)

1. Entra admin center → Entra ID → Protection → Authentication methods
2. Select Temporary Access Pass
3. Enable and configure:
   • Allowed users/groups
   • Lifetime
   • One-time vs multi-use

Microsoft provides the TAP configuration workflow and the per-user issuance workflow. (Microsoft Learn)

Step B2: Issue a TAP for a user (helpdesk workflow)

1. Entra admin center → Entra ID → Users
2. Select the user → Authentication methods
3. Select Add authentication method
4. Choose Temporary Access Pass
5. Set duration/activation and create it

Microsoft documents this exact flow. (Microsoft Learn)

Operational guidance for shared devices

• Use short-lived TAPs (for example 30–60 minutes) and preferably one-time use.
• Treat TAP like a high-value credential.

---

Part C: Enable Web sign-in on Windows via Intune (optional but common for shared devices)

Web sign-in can enable modern auth flows at the Windows sign-in screen. Microsoft describes the feature and its purpose. (Microsoft Learn)

Step C1: Create the Intune policy (Settings catalog)

1. Intune admin center → Devices → Windows → Configuration profiles
2. Create → New policy
   • Platform: Windows 10 and later
   • Profile type: Settings catalog
3. In Settings catalog, search for Web sign-in or the CSP path setting:
   • CSP is documented as: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn (LinkedIn)
4. Set Enable Web Sign-in = Enabled
5. Assign to the shared device group

Microsoft’s Web sign-in overview provides the feature context; the CSP path is commonly referenced for Intune implementation. (Microsoft Learn)

Step C2: Validate Web sign-in is active

• On a targeted device, confirm the Web sign-in option appears on the sign-in screen (behavior varies by build and configuration).
• In Intune: monitor the profile assignment status under the policy.

---

Part D: Enforce “passwordless” with Conditional Access (apps and resources)

This is where you move from “allowed” to “required.”

Step D1: Create a Conditional Access policy for target users

1. Entra admin center → Protection → Conditional Access
2. Create a policy scoped to:
   • Users: your shared-device users (pilot group first)
   • Cloud apps: start with Microsoft 365 or specific high-value apps
3. Require strong auth:
   • If using passkeys, consider enforcing an authentication strength that requires phishing-resistant methods (passkeys/FIDO2/WHfB depending on your strategy). Microsoft’s authentication overview strongly recommends phishing-resistant methods like WHfB and passkeys (FIDO2). (Microsoft Learn)

Important nuance
Conditional Access primarily governs access to cloud apps and sessions. It does not “remove” the Windows password box by itself. Your aim is to make password sign-in non-viable for access, and drive users to the passwordless method you enable.

---

Part E: Optional but recommended: Enable passkeys (FIDO2) in Authenticator

If your end goal is “Authenticator, but phishing-resistant,” passkeys are the cleanest path.

Step E1: Enable passkeys (FIDO2) for the org

1. Entra admin center → Authentication methods
2. Enable Passkeys (FIDO2) for target users/groups

Microsoft documents enabling passkeys and explicitly notes support for device-bound passkeys stored in Microsoft Authenticator. (Microsoft Learn)

Step E2: Allow and enforce Authenticator passkeys (if desired)

Microsoft provides specific guidance for enabling passkeys in Authenticator and then enforcing them with CA authentication strengths. (Microsoft Learn)

Step E3: User registration (self-service)

Users register a passkey via Security info:

• Add sign-in method → Passkey (FIDO2) → complete registration

Microsoft documents the user registration flow. (Microsoft Learn)

---

Validation checklist (what to confirm in a pilot)

Use this to confirm the configuration is working end-to-end:

• Entra Authentication Methods: Microsoft Authenticator enabled for pilot users (Microsoft Learn)
• Entra Authentication Methods Settings: System-preferred MFA = Microsoft-managed (Microsoft Learn)
• Users can enroll Authenticator and enable passwordless (Microsoft Learn)
• TAP can be issued and used for first-time setup (Microsoft Learn)
• Intune policy applies successfully (if using Web sign-in) and Web sign-in is enabled (Microsoft Learn)
• Conditional Access policies enforce the intended authentication method for cloud access (Microsoft Learn)

---

Common pitfalls on shared devices

• Trying to solve it in Intune only. Auth methods are governed in Entra.
• No bootstrap method. Without TAP (or another bootstrap), onboarding users can devolve into password resets and helpdesk tickets. (Microsoft Learn)
• Expecting CA to change the Windows logon UI. CA enforces access, not the local sign-in screen.

---