AZ-900-EN

【AZ-900】Understanding Azure Sign-In Options: What is Single Sign-On, Multi-Factor Authentication, and Passwordless?

【AZ-900】Understanding Azure Sign-In Options_ What is Single Sign-On, Multi-Factor Authentication, and Passwordless_

Hi, I’m Makoto, a freelance engineer.

In this article, I’ll explain the sign-in options for Azure (Microsoft Entra ID).

These are all important options for reducing the risks associated with complex ID management and password-based sign-ins. Please read through to the end.

What is Microsoft Entra ID?

If you’re not familiar with it, I suggest you read this article first!

【AZ-900】What is Microsoft Entra ID_ How is it different from Active Directory_
【AZ-900】What is Microsoft Entra ID? How is it different from Active Directory?Hi, I'm Makoto, a freelance engineer. In this article, I'll expla...

Now, let’s get started!

What is Single Sign-On (SSO)?

Single sign-on (SSO) is a mechanism that allows you to sign in to multiple applications with a single authentication process.

For example, after signing in to the Azure Portal, you can sign in to the AWS Management Console without entering additional credentials.

Applications that integrate with Microsoft Entra ID can be selected from the gallery, enabling single sign-on to other public cloud services such as AWS and GCP, as well as commonly used business applications such as Salesforce and Dropbox Business.

Browse Microsoft Entra Gallery

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a system that authenticates users in multiple ways by requiring additional verification during the sign-in process, such as:

  • Enter a code sent to your phone
  • Perform a fingerprint scan

It’s commonly abbreviated as MFA.

MFA works by requiring two or more of the following authentication methods:

  • Something the user knows (such as a password)
  • Something the user has (such as a cell phone or hardware key)
  • Something the user is (biometrics such as fingerprint scans and facial recognition)

Secondary factors, such as physical possession or biometric information, cannot be easily obtained or replicated by attackers, increasing security.

Authentication methods that use two factors are specifically referred to as “Two-Factor Authentication” or “Two-Step Verification” (strictly speaking, there is a difference in definition between two-factor and two-step authentication, but we’ll treat them the same for the purposes of this discussion).

To enable Two-Step Verification for administrator accounts, go to the Security Settings of your Microsoft account (see the official documentation for more information).

Reference:

You can also access it by clicking on “My Microsoft Account” in the account menu at the top right of the Azure portal, and then navigating from Security > Security dashboard.

My Microsoft account

You can enable it by clicking the “Turn on” link under Additional security > Two-step verification. You can also toggle “Passwordless” ON/OFF from this screen, which we’ll discuss later.

Enable Two-step varification

Additionally, you can force MFA for all users using Security Defaults, which are preconfigured basic rules, or Conditional Access.

What is Passwordless?

Passwordless is, as the name suggests, a mechanism for authentication without entering a password. It eliminates (deletes) passwords and authenticates using more secure methods.

This is different from Single Sign-On (SSO), explained earlier, because it eliminates passwords altogether.

Passwordless authentication options include:

  • Windows Hello for Business (biometric authentication)
  • Microsoft Authenticator app (authentication app)
  • FIDO2 security keys (hardware keys)

Reference:

FIDO2 is the name of an authentication standard.

Multi-factor authentication (MFA) requires the setup of authentication app or hardware tokens, and requiring MFA authentication at every login can reduce the user experience.

Passwordless is emerging as a next-generation authentication technology that solves these problems and offers the following benefits:

  • Reduce the risk of password compromise
  • Improve user experience
  • Reduce costs associated with password management

The process for enabling passwordless for Microsoft accounts is similar to the process for enabling MFA described earlier.

Enable Passwordless

However, there are several prerequisites for enabling passwordless for Microsoft Entra ID users (organizational accounts).

You probably won’t be asked about the detailed steps in the AZ-900 exam, so knowing the overview should be sufficient.

Reference:

For detailed steps on enabling passwordless, please refer to the following official documentation:

Plan a passwordless authentication deployment in Microsoft Entra ID

Summary

In this article, we explained the Azure (Microsoft Entra ID) sign-in options. Here’s a summary table of each enrollment option:

Sign-in OptionDescription
Single Sign-On (SSO)Sign in to multiple applications with a single authentication
Multi-Factor Authentication (MFA)Sign in using a combination of two or more factors
PasswordlessSign in using biometric authentication or possession information without entering a password

These authentication options are becoming more common not only in Azure, but in various services around the world. Let’s understand their differences and use them effectively, not just for exam preparation.

See you next time.

View Azure Courses