As I was trying out FIDO2 support in Windows 10 (see my blog here), I was disappointed that the one thing that I couldn’t do with the FIDO2 key was to join a device to Azure AD. For that, I still needed to use a username (UPN/e-mail address) and password. This is on the roadmap, so it will show up at some point in the future. But the Azure AD team said that if I wanted to do password-less Azure AD Join, I could do that today, and pointed to the official docs on phone sign-in. I had my doubts, but I decided to try it anyway.
The basic concept is tied to the Microsoft Authenticator app. The first step would be to set that up. If you haven’t done that in a while, I believe it’s easier than it used to be:
- Sign into https://mysignins.microsoft.com with your Azure AD account, then click the “Security info” link on the left (or sign into http://myprofile.microsoft.com and then click “Security info” to get to the mysignins.microsoft.com page).
- Click “Add method” and then choose “Authenticator app.”
- Walk through the wizard until you get to the QR code.
- In the Authenticator app, add a work or school account and take a picture of the QR code to add the account.
But if that’s all you do, you probably will find that the “Enable phone sign-in” option is disabled. To enable it, the device needs to be MDM-managed. Alright, I can do that (although since I’m using a test tenant to do this, that means I needed a different phone as my work phone is already enrolled in the @microsoft.com tenant). OK, I did that (using Android 9 and the Intune Company Portal apps – that also was a little challenging because I was using the same account that I routinely use to test Autopilot scenarios, so Intune wouldn’t let me enroll this “personal” Android phone until I cleaned up all of those old Intune devices). After that, I can then “Enable phone sign-in” by clicking on the down arrow on the account I added in Authenticator.
The next step: Trying it with a Windows 10 1903 device registered with Windows Autopilot. I booted the device up and typed in the account’s UPN (e-mail address):
And instead of seeing a password screen next, I saw this instead:
And sure enough, there was a notification on my phone from the Authenticator app asking me to click on the right number:
As soon as I clicked on the number and then “Approve”, the Azure AD Join was completed and the process continued to the enrollment status page:
And then the user automatically signed on and asked to set up Windows Hello for Business (to avoid any subsequent password requests – PIN or biometrics can be used instead).
There is a potential gotcha though: If there is a reboot during or at the end of the device ESP process, before the user is signed in and sets up Windows Hello for Business, then you’re stuck again because the Windows sign-in page doesn’t support signing in with phone sign-in. To sign into Windows 10 in this case, you’ll still need to use a password (or a FIDO2 key), then set up Windows Hello for Business to avoid that in the future. (For security reasons, we can’t save authentication details provided in OOBE to disk. We’re still looking at options to enable that – if it is of interest to you, please let us know via https://microsoftintune.uservoice.com/.)