Share via


Passwordless for Students

With the rise of security threats, it's critical that schools start to think about ways to use security features typically avoided for students.

This article describes a way to use passwordless credentials in schools.

Requirements:

  • A license or bundle that includes Entra P1.

Distributing passwordless phishing resistant credentials to students has been challenging due to the multifactor authentication (MFA) requirement for setup (sometimes referred to as bootstrapping). Temporary Access Pass (TAP) provides a phone free option for users to set up credentials, including device-bound passwordless credentials.

A Temporary Access Pass is a time-limited passcode that can be configured for single or multiple use. Users can sign in with a TAP to onboard other passwordless authentication methods, such as Microsoft Authenticator, FIDO2, Windows Hello for Business, Platform single sign-on (SSO) with Secure Enclave, and Passkeys.

Administrators can create a TAP and distribute to students. Students can use the TAP to create the passwordless credential. Students can then use the passworldess credential to sign in to the device.

A diagram showing the steps to create and use a passwordless credential for students by authenticating using temporary access pass. First, the admin creates TAP. Second, the student uses TAP to create passwordless credential. Third, the student uses passwordless credential.

Each operating system has a different implementation for device-bound passwordless credentials:

Operating system Hardware bound key technology Suitable for Hardware requirement Biometric information
Windows Windows Hello for Business 1:1 devices Trusted Platform Module (TPM) Windows Hello
macOS Platform SSO with Secure Enclave (preview) 1:1 devices Secure Enclave TouchID
iOS Passkeys with Microsoft Authenticator (preview) 1:1 devices iOS 16+ FaceID
Android Passkeys with Microsoft Authenticator (preview) 1:1 devices Android 14+ OEM-specific
Windows, macOS FIDO2 Security Keys 1:1 or shared devices FIDO2 Security Key Various
Passkeys (syncable) - coming later in 2024 n/a Not hardware bound – protection varies by passkey provider vendor n/a Various

These technologies provide Phishing-resistant authentication strength because they use a combination of a hardware bound private key, the user's physical possession of that device. The local device PIN or password used to unlock or "release" the device specific private key. The private key never leaves the device or is transmitted over the network. Microsoft Entra ID only possesses a corresponding public key used to validate data signed by the hardware bound private key. The PIN or local password is device specific and can't be used to log into services or other devices (unless the user uses the same PIN).

Tip

For the best passwordless experience on 1:1 devices for K-12 Students and Devices, Microsoft recommends TAP + Windows Hello (or other platform specific hardware bound key technology). For shared devices, Microsoft recommends FIDO2 Security Keys.

For more information about Passwordless and Microsoft Entra ID, see Microsoft Entra passwordless sign-in.

Passwordless user experience

These steps demonstrate the user experience during Autopilot in the following conditions:

  • The user has a temporary access pass.
  • Windows Hello for Business is enabled for this device.

If the device is already provisioned, the experience is the same from step 2 when the user logs in to a device with Windows Hello for Business enabled.

  1. Sign in with a work or school account and use the temporary access pass to start Autopilot.
  2. After provisioning is complete, the user is prompted to configure Windows Hello for Business.
  3. The user is prompted to enter their temporary access pass.
  4. The user creates a PIN and sets up biometric credentials if supported by the device.
  5. The user can now sign in with their PIN or biometrics.

A GIF demonstrating the experience of configuring Windows Hello for Business using Temporary Access Pass during Autopilot user-driven mode.

User experience when a user doesn't have a TAP or the TAP is expired

If the user doesn't have a temporary access pass when going through Autopilot, they are prompted to register for multifactor authentication:

A screenshot showing the Windows Hello for Business more information required screen.

If you assign a temporary access pass to a user and ask them to try again or restart the computer, users are prompted to use the temporary access pass instead.

Planning for Passwordless

The main challenge of provisioning passwordless credentials to students is distributing the TAP.

Options include:

  • Generating TAP when passwords are provided to students for the first time or providing only a TAP and no password to enforce passwordless.
  • Generating and distributing a TAP when students receive new devices.
  • Enabling the passwordless authentication options and asking students to configure them and call IT support to request a TAP when setting it up.
  • Delegating access to create TAP to local IT or teachers.

You can use Authentication Methods in Entra to control which users can use specific types of authentication methods. For example, you could allow teachers and staff to use Microsoft Authenticator but only allow students to use Temporary Access Pass.

Target user attributes Typical users Authentication Methods
Can use iOS or Android devices in addition to their main device Staff, university students, students in schools where mobile devices are allowed ✔️ Microsoft Authenticator
✔️ Temporary Access Pass
✔️ FIDO2 Security Key
✔️ Passkeys
No mobile device access K-12 students ✔️ Temporary Access Pass
✔️ FIDO2 Security Key
✔️ Passkeys

For more information about the authentication methods available in Entra, see Authentication Methods.

Configure Authentication Methods

  1. Configure Entra to use Authentication Methods policies

    Authentication methods can be configured after multifactor authentication and self-service password reset policy settings are migrated to the Authentication Methods functionality. For more information, see How to migrate MFA and Self Service Password Reset policy settings to the Authentication methods policy for Microsoft Entra ID.

  2. Configure the authentication methods based on your requirements

    Use Authentication Methods to target the required configuration at groups of users. For more information, see Authentication Methods. For example:

    • Change the target groups for Phone, SMS, Microsoft Authenticator methods to include staff and exclude students.
    • Change the target group of Temporary Access Pass to include students.
  3. Issue Temporary Access Pass

    Administrators can issue Temporary access passes and distribute them to users. For more information, see Create a temporary access pass.

Configure Devices

Configure the passwordless sign in method for each operating system to meet your requirements.

For Intune-managed devices, there are two methods for configuring Windows Hello for Business:

  • Tenant-wide. The tenant wide Windows Hello for Business policies in Devices > Windows > Windows Enrollment > Windows Hello for Business. It's typical for schools to disable Windows Hello for Business to avoid students being asked to set up multifactor authentication during sign in.
  • Targeted using policies. Targeted policies take precedence over the tenant-wide policy, allowing settings to be targeted at groups or to stage the rollout.

For more information, see Configure Windows Hello for Business.

Additional steps are required to configure single sign-on access to on premises resources with Windows Hello for Business credentials. For more information, see Configure single sign-on for Microsoft Entra joined devices.

Customize the Windows Hello for Business experience

These settings are optional but can be used to customize the Windows Hello for Business experience.

  • DisablePostLogonProvisioning – By default Windows Hello for Business requires provisioning during sign-in. With this setting enabled, the sign-in prompt is disabled. Users can configure Windows Hello for Business in the settings app.

    Configuration Value
    OMA-URI: ./Device/Vendor/MSFT/PassportForWork/**Microsoft Entra ID Tenant ID**/Policies/DisablePostLogonProvisioning
    Data type: Boolean
    Value: True
  • EnablePasswordlessExperience - When the policy is enabled on Windows 11, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see Windows passwordless experience.

    Configuration Value
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
    Data type: Integer
    Value: 1

For steps on creating a custom policy, see Add custom settings for Windows 10/11 devices in Microsoft Intune.

Monitor Passworldess Authentication

Entra includes reports for monitoring authentication methods. For more information, see Authentication Methods Activity.

Use the reports to see your rollout progress and identify when users are using paswordless credentials.

Enforce Authentication Strength with Conditional Access

Access to services that use Microsoft Entra ID for authentication can be restricted based on authentication method strength, among other conditions, using Conditional Access.

For example, to require students access services using Microsoft Entra ID for authentication use a managed device with passwordless credentials, configure a Conditional Access policy with these settings:

Configuration Value
Name Students
Target All students
Grant Complaint device: yes
Authentication strength: Phishing-resistant

For more information on authentication strength in conditional access policies, see Overview of Microsoft Entra authentication strength.

For instructions on configuring Conditional Access policies, see What is Conditional Access in Microsoft Entra ID?.

Tip

In scenarios where devices are shared among multiple users, an alternative passwordless authentication option is FIDO 2 security keys. Shared devices could be excluded from conditional access policies based on location however this isn't recommended.

Manage Passwordless Credentials

Passwordless credentials are unaffected by password changes, resets, or policies. If a device is compromised or stolen, you should follow procedures required by your security team. Some examples of actions could include:

  • Taking no action until a compromise is investigated.
  • Triggering a remote wipe of the compromised device.
  • Disabling the credential or user account.

If a device is compromised, you may choose to delete the associated passwordless credential from Microsoft Entra ID to prevent unauthorized use.

To remove an authentication method associated with a user account, delete the key from the user's authentication method. You can identify the associated device in the Detail column.

  1. Sign in to the Microsoft Entra admin center and search for the user whose passkey needs to be removed.
  2. Select Authentication methods > next to the relevant authentication method, select the "…" menu and then select Delete.

Next Steps

For more information about enrolling your devices into Intune, go to: