Azure

Microsoft Entra ID Passwordless Authentication Complete Guide: Authenticator, FIDO2, Windows Hello, TAP, CBA

2026-05-24
NicheeLab Editorial Team

Passwordless authentication lets users sign in without ever typing a password, and is widely considered the endgame of modern enterprise security strategy. Microsoft's internal data shows passwordless is 99.9% safer than password + MFA, and Microsoft itself has already completed full internal passwordless adoption. This article walks through all five passwordless methods in Microsoft Entra ID, when to use each, and a phased rollout roadmap.

The Five Passwordless Methods

MethodForm FactorSecurityCostBest For
Microsoft AuthenticatorSmartphone app pushHighMinimalCompany-wide standard
FIDO2 security keyUSB/NFC hardwareHighest~USD 50 per keyPrivileged roles
Windows Hello for BusinessBiometrics + TPMHighFreeWindows users
Temporary Access Pass (TAP)Time-bound OTPMediumFreeOnboarding / emergency
Certificate-based (CBA)Smart cardHighestCards + PKIGovernment / finance

Microsoft Authenticator

Authentication via smartphone push approval plus number matching. The most widely adopted method — minimal cost, easy to deploy, and the standard for all employees.

Number Matching (standardized in 2023)

At sign-in, a two-digit number is shown on the web side and the user must enter it in the Authenticator app.

  • Plain push notifications (tap Yes/No) were vulnerable to MFA fatigue attacks
  • Number Matching now requires the user to physically prove they are operating the same session
  • Microsoft enforced Number Matching tenant-wide in May 2023
  • Social-engineering-based MFA bypasses have dropped significantly

FIDO2 Security Keys

FIDO2 (Fast IDentity Online v2) is hardware-token authentication based on the WebAuthn standard. Highest security of any passwordless method.

Supported Keys

  • YubiKey 5 series (most popular)
  • Feitian ePass
  • SoloKey
  • Other Microsoft-certified keys

Rollout Steps

  1. Enable the Passkey (FIDO2) method in Microsoft Entra ID (Authentication methods policy)
  2. Use Conditional Access to require FIDO2 for privileged roles
  3. Users register a FIDO2 key in Entra ID Security info (set a PIN and touch the key)
  4. Sign in thereafter with the FIDO2 key (USB insert or NFC tap + touch + PIN)

Cost: about USD 50 per YubiKey 5 NFC. Equipping 10-50 privileged users runs into the low thousands of dollars for a major security boost. Always keep two backup keys per user (one stored in a secure offsite location).

Windows Hello for Business

The passwordless authentication built into Windows 10/11. It uses biometrics (face or fingerprint) or a PIN backed by the TPM.

Three Deployment Models

ModelRequirementsRecommendation
Cloud Kerberos TrustNo Entra Connect requiredTop pick (simplest)
Hybrid Cloud TrustEntra Connect + Hybrid JoinedFor existing hybrid environments
On-premisesOn-prem AD-centricLegacy

Cloud Kerberos Trust is the simplest model and ideal for organizations managing Windows devices with Entra ID + Intune. The standard pattern is to push a Configuration Profile from Intune that requires Windows Hello for Business across the company.

Temporary Access Pass (TAP)

A time-bound one-time passcode used as a fallback when users register or lose Microsoft Authenticator or FIDO2 keys.

Typical Use Cases

  • New-hire onboarding: hand the new hire a TAP for day-one access, then have them register Authenticator
  • Emergency access after losing a FIDO2 key: reauthenticate with a TAP, then register a new FIDO2 key
  • Initial access to legacy accounts after enforcing passwordless

How to Generate

  • In the Entra ID admin center: user → Authentication methods → Temporary Access Pass → Generate
  • Lifetime 1 hour to 30 days, usage count configurable, one-time or multi-use

In production, the standard pattern is to delegate TAP issuance to the IT help desk team to streamline user support.

Certificate-based Authentication (CBA)

Authentication that stores certificates on smart cards, PIV cards, or USB tokens and authenticates via PKI.

  • Compliance for government and financial institutions
  • Supports standards like HSPD-12 (US government), eIDAS (EU), and My Number Card (Japan)
  • Native support via Microsoft Entra Certificate-based Authentication (GA 2023, direct Entra ID authentication without AD FS)
  • Certificate revocation checks via CRL / OCSP
  • High deployment cost (PKI build-out, card readers, card issuance)

Phased Rollout Roadmap

A 12-18 month plan for full passwordless migration:

Phase 1 (months 1-3): Company-wide Authenticator rollout

  • Enforce Microsoft Authenticator for all employees
  • Enforce Number Matching (already standardized by Microsoft)
  • Recommend passwordless (passwords still allowed)

Phase 2 (months 3-6): Windows Hello + FIDO2 for privileged roles

  • Enforce Windows Hello for Business on every Windows device (via Intune)
  • Deploy FIDO2 to about 50 privileged users
  • Use Authentication strength policy to require passwordless for critical apps

Phase 3 (months 6-12): Block password authentication

  • Enable a Conditional Access policy that blocks password authentication
  • Complete passwordless migration (Self-Service Password Reset reserved for emergencies)

Phase 4 (months 12-18): Disable weak MFA

  • Disable legacy MFA (SMS, voice call) in the Authentication methods policy
  • Consolidate on the strongest MFA methods only

Operational Best Practices

  1. All employees = Microsoft Authenticator + Number Matching as the minimum baseline
  2. Privileged roles (Global Admin, PIM-eligible) = FIDO2 security key mandatory
  3. Keep two backup FIDO2 keys per user (one in secure storage)
  4. Enforce Windows Hello for Business on Windows users via Intune
  5. Issue a TAP to new hires on day one and guide them through Authenticator registration
  6. Use Conditional Access Authentication strength to require passwordless for critical apps
  7. Phase out SMS MFA over time (anti-phishing)
  8. Enforce auto-updates for the Microsoft Authenticator app (Intune App Protection Policy)
  9. Continuously monitor MFA failure rates in Microsoft Sentinel
  10. Review passwordless adoption rates regularly (Authentication Methods Activity report)

Related Certifications

Frequently Asked Questions

What is passwordless authentication?

Passwordless authentication lets users sign in without typing a password. Microsoft Entra ID offers five primary methods: Microsoft Authenticator (push notifications), FIDO2 security keys, Windows Hello for Business, Temporary Access Pass (TAP), and Certificate-based Authentication (CBA). It eliminates phishing, credential-stuffing attacks, password-reset overhead, and the mental load of remembering passwords. Microsoft's internal stats say passwordless is 99.9% safer than password + MFA, and Microsoft itself completed full internal passwordless adoption in the early 2020s. It is widely regarded as the endgame of modern enterprise security strategy.

How do you choose between the five passwordless methods?

Microsoft Authenticator (push): smartphone push approval plus number matching — most widely adopted, lowest cost, standard for all employees. FIDO2 security keys (e.g., YubiKey): USB/NFC hardware tokens with the highest security, ideal for privileged roles. Windows Hello for Business (biometrics + TPM): built-in fingerprint/face recognition on Windows devices, ideal for Windows-centric organizations. Temporary Access Pass (TAP): time-limited one-time passcode for onboarding new hires or recovering from lost FIDO keys. Certificate-based Authentication (CBA): smart cards or PIV cards for government and financial-sector compliance. The standard layered pattern: all employees = Microsoft Authenticator + Windows Hello, privileged roles = mandatory FIDO2, emergencies = TAP, regulated industries = CBA.

What is Number Matching in Microsoft Authenticator?

Number Matching is an MFA security feature standardized in Microsoft Authenticator from 2023. At sign-in, a two-digit number is displayed on the web side, and the user must enter it on their Authenticator app. Plain push notifications (tap Yes/No) were vulnerable to MFA fatigue attacks (flooding the user with push prompts until they tap Yes by mistake). Number Matching forces the user to prove they are physically operating the same session. Microsoft enforced Number Matching tenant-wide in May 2023, so every Authenticator user now experiences it automatically. The result has been a major drop in social-engineering-based MFA bypasses.

How do you roll out FIDO2 security keys?

FIDO2 (Fast IDentity Online v2) is hardware-token authentication based on the WebAuthn standard. Microsoft-certified keys include the YubiKey 5 series, Feitian, and SoloKey. Rollout steps: 1) Enable the Passkey (FIDO2) method in Microsoft Entra ID's Authentication methods policy, 2) Use Conditional Access to require FIDO2 for privileged roles, 3) Have users register a FIDO2 key in Entra ID Security info (set a PIN and touch the key), 4) Sign in with the FIDO2 key thereafter (USB insert or NFC tap + touch + PIN). Cost: about USD 50 per YubiKey 5 NFC, so equipping 10-50 privileged users runs into the low thousands of dollars for a major security boost. Always keep two backup keys per user (one stored in a secure offsite location).

How do you configure Windows Hello for Business?

Windows Hello for Business is the passwordless authentication built into Windows 10/11. It uses biometrics (face or fingerprint) or a PIN backed by the TPM (Trusted Platform Module). There are three deployment models: Cloud Kerberos Trust (recommended, no Entra Connect required), Hybrid Cloud Trust (requires Entra Connect and Azure AD Hybrid Join), and On-premises (centered on on-prem AD). Cloud Kerberos Trust is the simplest and ideal for organizations managing Windows devices with Entra ID + Intune. Biometrics require Windows Hello-compatible sensors (Surface, recent ThinkPads, etc.); non-compatible devices fall back to PIN-based sign-in. The standard pattern is to push a Configuration Profile from Intune that requires Windows Hello for Business across the company.

How do you use Temporary Access Pass (TAP)?

Temporary Access Pass (TAP) is a time-bound one-time passcode used as a fallback when users register or lose Microsoft Authenticator or FIDO2 keys. Typical use cases: 1) New-hire onboarding (hand the new hire a TAP to sign in on day one and then register Authenticator), 2) Emergency access after losing a FIDO2 key (use TAP to reauthenticate, then register a new FIDO2 key), 3) Initial access to legacy accounts after enforcing passwordless. To generate one, go to the Entra ID admin center → user → Authentication methods → Temporary Access Pass → Generate (lifetime 1 hour to 30 days, usage count configurable, one-time or multi-use). In production, the standard pattern is to delegate TAP issuance to the IT help desk team to streamline user support.

What is the rollout roadmap for going passwordless?

A phased rollout is recommended. Phase 1 (months 1-3): roll out Microsoft Authenticator company-wide, enforce Number Matching, and recommend passwordless (passwords still allowed). Phase 2 (months 3-6): enforce Windows Hello for Business on every Windows device and deploy FIDO2 to about 50 privileged users. Phase 3 (months 6-12): enable a Conditional Access policy that blocks password authentication and complete the passwordless migration (Self-Service Password Reset reserved for emergencies). Phase 4 (months 12-18): disable legacy MFA (SMS, voice call) in the Authentication methods policy and consolidate on the strongest MFA methods only. Microsoft's Zero Trust Adoption Framework provides guidance, and the Authentication strength policy lets you fine-tune how strictly to enforce.

Which certifications cover this material?

SC-300 (Identity and Access Administrator Associate) is the primary certification for this area — passwordless is covered in depth in Domain 2 (Authentication, 25-30%). SC-100 (Cybersecurity Architect Expert) covers authentication hardening as part of Zero Trust strategy; MS-102 (Microsoft 365 Administrator Expert) Domain 2 covers company-wide rollout strategy; and AZ-104 (Administrator) covers the basics. It is required knowledge across all Microsoft security certifications, and a core technology of the Identities pillar of Zero Trust.

Related articles and deep dives

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

Microsoft Entra ID Governance 完全ガイド|Entitlement Management・Access Review・Lifecycle Workflows【2026 年版】

Microsoft Entra ID Governance の完全ガイド。Entitlement Management (Access Package)・Access Review・PIM・Lifecycle Workflows・Terms of Use・B2B/B2C を網羅解説。SOC2 / ISO 27001 コンプライアンス対応、JML プロセス自動化、関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

Microsoft Entra B2B / External ID 完全ガイド|パートナー招待・顧客認証・Cross-tenant Settings【2026 年版】

Microsoft Entra B2B Collaboration (パートナー組織招待) と External ID for customers (顧客認証) の完全ガイド。ゲスト招待フロー・Cross-tenant Access Settings・External Tenant 構成・Entitlement Management 自動化・Conditional Access 統合・関連認定試験 (SC-300 / MS-102 / SC-100) を日本語で網羅。

Microsoft Entra MFA 詳細ガイド|認証方式選定・Conditional Access・Number Matching・Phishing-resistant MFA【2026 年版】

Microsoft Entra Multi-Factor Authentication (MFA) の詳細ガイド。10 種類の認証方式選定・Conditional Access での MFA 強制・Per-user MFA vs Conditional Access MFA・Security Defaults・MFA Fatigue 攻撃対策・Phishing-resistant MFA・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

Technical information in this article is based on the Microsoft Entra Passwordless Authentication Documentation. This article is not an official Microsoft Corporation product and has no partnership or sponsorship relationship. Microsoft, Azure, Microsoft Entra, and Windows Hello are trademarks of the Microsoft group of companies. FIDO2 / WebAuthn are standards from the FIDO Alliance / W3C. Information is based on official materials published as of May 24, 2026. Always confirm the latest details on the official pages.

Check what you learned with practice questions

Practice with certification-focused question sets

Browse Azure exam prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.