Hi, I’m Makoto, a freelance engineer.
In this article, I’ll explain the sign-in options for Azure (Microsoft Entra ID).
These are all important options for reducing the risks associated with complex ID management and password-based sign-ins. Please read through to the end.
If you’re not familiar with it, I suggest you read this article first!
Now, let’s get started!
What is Single Sign-On (SSO)?
Single sign-on (SSO) is a mechanism that allows you to sign in to multiple applications with a single authentication process.
For example, after signing in to the Azure Portal, you can sign in to the AWS Management Console without entering additional credentials.
Applications that integrate with Microsoft Entra ID can be selected from the gallery, enabling single sign-on to other public cloud services such as AWS and GCP, as well as commonly used business applications such as Salesforce and Dropbox Business.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is a system that authenticates users in multiple ways by requiring additional verification during the sign-in process, such as:
- Enter a code sent to your phone
- Perform a fingerprint scan
It’s commonly abbreviated as MFA.
MFA works by requiring two or more of the following authentication methods:
- Something the user knows (such as a password)
- Something the user has (such as a cell phone or hardware key)
- Something the user is (biometrics such as fingerprint scans and facial recognition)
Secondary factors, such as physical possession or biometric information, cannot be easily obtained or replicated by attackers, increasing security.
Authentication methods that use two factors are specifically referred to as “Two-Factor Authentication” or “Two-Step Verification” (strictly speaking, there is a difference in definition between two-factor and two-step authentication, but we’ll treat them the same for the purposes of this discussion).
To enable Two-Step Verification for administrator accounts, go to the Security Settings of your Microsoft account (see the official documentation for more information).
Reference:
You can also access it by clicking on “My Microsoft Account” in the account menu at the top right of the Azure portal, and then navigating from Security > Security dashboard.
You can enable it by clicking the “Turn on” link under Additional security > Two-step verification. You can also toggle “Passwordless” ON/OFF from this screen, which we’ll discuss later.
Additionally, you can force MFA for all users using Security Defaults, which are preconfigured basic rules, or Conditional Access.
What is Passwordless?
Passwordless is, as the name suggests, a mechanism for authentication without entering a password. It eliminates (deletes) passwords and authenticates using more secure methods.
This is different from Single Sign-On (SSO), explained earlier, because it eliminates passwords altogether.
Passwordless authentication options include:
- Windows Hello for Business (biometric authentication)
- Microsoft Authenticator app (authentication app)
- FIDO2 security keys (hardware keys)
Reference:
FIDO2 is the name of an authentication standard.
Multi-factor authentication (MFA) requires the setup of authentication app or hardware tokens, and requiring MFA authentication at every login can reduce the user experience.
Passwordless is emerging as a next-generation authentication technology that solves these problems and offers the following benefits:
- Reduce the risk of password compromise
- Improve user experience
- Reduce costs associated with password management
The process for enabling passwordless for Microsoft accounts is similar to the process for enabling MFA described earlier.
However, there are several prerequisites for enabling passwordless for Microsoft Entra ID users (organizational accounts).
You probably won’t be asked about the detailed steps in the AZ-900 exam, so knowing the overview should be sufficient.
Reference:
For detailed steps on enabling passwordless, please refer to the following official documentation:
Plan a passwordless authentication deployment in Microsoft Entra ID
Summary
In this article, we explained the Azure (Microsoft Entra ID) sign-in options. Here’s a summary table of each enrollment option:
Sign-in Option | Description |
---|---|
Single Sign-On (SSO) | Sign in to multiple applications with a single authentication |
Multi-Factor Authentication (MFA) | Sign in using a combination of two or more factors |
Passwordless | Sign in using biometric authentication or possession information without entering a password |
These authentication options are becoming more common not only in Azure, but in various services around the world. Let’s understand their differences and use them effectively, not just for exam preparation.
See you next time.