[music] James Poindexter: Good morning. The Azure Ad Architecture Deep Dive Series Is Here! I’m James Poindexter, and I work for Microsoft’s Azure Ad Engineering team as a program manager. Swetha Rai: Good day. My name is Swetha Rai, and I work for the Azure Ad Engineering Team as a program manager. James: We’re a part of the Customer Experience Team, and we help businesses and enterprises all over the world deploy our services and migrate to the cloud. We get a lot of questions about how Azure, Ad works behind the scenes, so we’ll answer them here. During This Architecture Series, You We’ll talk about passwordless phone sign-in with Microsoft Authenticator in today’s session, specifically the process that occurs when a user registers to use the service.
The App for Authentication We’ll talk about how a user would use the app to authenticate themselves in a later video. Swetha: According to research, the majority of hacking-related breaches involve the use of weak or stolen passwords. We’re taking a lot of steps at Microsoft toward a future without passwords. Are Not The Default Authentication Method For Users We provide our customers with three passwordless options: Windows Hello for Business, Fido2 Security Keys, and Microsoft Authenticator. All of these solutions use asymmetric cryptography, in which the private keys are securely bound to a single device and a local gesture is required to access them. To unlock, use a biometric or a device pin. Swetha: Great question, James. When would someone choose the Microsoft Authenticator app over the other options? The Authenticator is best suited for scenarios that require users to sign into work or personal accounts using their mobile devices. Microsoft Authenticator, also known as MFA, is a tool that can be used to perform multi-factor authentication. This is accomplished by adding a one-time passcode or a push notification to the user’s password. The user can go to Aka to register for Mfa with Push Notifications. Scanning The QR Code On That Page: ms/mfasetup The User’s Account Will Be Automatically Added To The Authenticator Once The QR Code Is Scanned Following that, the user receives a push notification on their device, and the Mfa Services in Azure Active Directory link the device to the user’s account once it has been approved. The User Has Been Activated To Perform Mfa Via Push Notifications On Their Mobile Device. The Microsoft Authenticator can also be used as a software token for users to sign into their work or personal accounts. Personal Accounts Using A Strong User Credential That Is Tied To A Device And Uses A Biometric Or Device Pin From A Mobile Phone James: Let’s take a closer look at that. Swetha: Sure, what does it mean to have a strong user credential? When you can successfully verify two factors of authentication for a user during an authentication session, you have a strong authentication. Something you know, such as a password, something you are, such as a biometric gesture, and something you have, such as a device you own, are the three factors. When a user registers for passwordless sign-in with the Authenticator App, a key is generated and stored on the device, and it can only be accessed by the device’s owner. This is something you already possess. Furthermore, This is something that the device owner must do. To gain access to the key, they must use their device pin or a biometric gesture, thereby satisfying the Something You Are factor for authentication. Thank you for explaining that, James. Although registration is a simple one-time process, there is a lot going on behind the scenes to make this seamless experience possible. Let’s take a closer look at what’s going on in the background. Swetha: There Are Certain Prerequisites Users Should Be Aware Of Before Registering For Passwordless Sign-in With Microsoft Authenticator To Enable This Feature. On their mobile device, they will need to set up a device pin or biometric gesture. They’ll also have to make sure that the device meets the OS’s and hardware’s minimum requirements. When a user enables Forms Sign-in on the Authenticator App, the Authenticator will attempt to obtain a token from Authentication Services within Azure Ad by using Device and Mfa Claims. This is the service in Azure Ad that is in charge of handling all authentications. From here, the Authentication Services will use Device Services to start the device registration process. This is a good example. Is the Azure Ad service in charge of registering devices and assigning them an identity that can be used to authenticate the device when the user logs in. One thing to keep in mind when registering your device for passwordless phone sign-in is that it must be a smartphone. It must be registered to a tenant, and only one tenant can be registered at a time. This Rules Out Shared Device Scenarios Because You Can Only Have One Enterprise Account On The Authenticator At A Time Just to be clear, you can always set up multiple workstations.
Or school accounts, in order to perform Mfa on the same device, such as receiving push notifications or one-time passwords. The Passwordless Phone Sign-in Restrictions We Just Discussed Are Only For Passwordless Phone Sign-in. That is an excellent point. The Device Registration Service will now create and store a Device Object in the Core Store. The Core Store is Azure Ad’s primary storage, containing user data, tenant policies, and other important information. Authentication Services Will Issue An Mfa Request After The User Has Successfully Registered Their Device. The Mfa Push Notification Will Be Routed To The Mfa Service Apple’s or Google’s Cloud Messaging System Authenticator App By approving the notification on their device, the user will then complete an Mfa challenge. At the
Because we have a token with device and Mfa claims at this point, an asymmetric key pair is generated on the device, consisting of a public key that will be shared with authentication services and a private key that will be kept on the device. Its own This private key is never shared and never leaves the device. The generated key pair’s public key is exported and sent to Device Services, which creates a key object and stores it in the Core Store. The User Will Be Promptly Notified Of The Challenge If They Register For Push Notifications For Passwordless Sign-in. This Will Result In A Better User Experience Because The User Will Be Promptly Notified Of The Challenge If They Register For Push Notifications For Passwordless Sign-in. Notifications are sent to the Authenticator App via the appropriate Google or Apple cloud messaging system. Now that we’ve registered to be authenticated, James: Into Our Account, We’ll Discuss What Happens When You Authenticate Using This Method In A Future Video. We Hope You Enjoyed This Video. We’ll also be adding more videos on passwordless solutions like Windows Hello for Business and Fido2, as well as other topics like provisioning, governance, and more. If you would like a copy of the diagrams, please contact us.
Please follow the link on the screen if you want to give us feedback and help us figure out what to cover. Thank you for watching, Swetha. Thank you, James. [instrumental music]