Going Passwordless with Entra ID: Our Experience, Challenges, and Lessons Learned

In our recent journey to go passwordless with Entra ID, we discovered that achieving a truly secure and user-friendly passwordless environment is far from straightforward. From technical limitations to unexpected system conflicts, the transition has required careful planning and adaptation. In this post, I’ll share our key experiences, challenges, and takeaways from the past 60 days as we move toward a passwordless future for our organization.

Why Go Passwordless?

The goal of going passwordless is to improve security by eliminating traditional passwords, which are vulnerable to phishing and brute-force attacks. Instead, passwordless solutions rely on more secure methods like biometrics, device-based authentication, or PINs. However, implementing passwordless authentication is complex—particularly for an organization with a diverse user base and various access requirements.

Early Challenges and Unexpected Setbacks

Our journey began with the latest Windows 24H2 update, which, to our surprise, interfered with Entra ID’s passwordless features. Additionally, Entra ID doesn’t currently allow you to create users without passwords, meaning we had to find ways to secure and manage these initial passwords effectively. We also had to address fundamental questions, such as:

  • What happens if a user forgets their PIN?
  • How can system and admin accounts operate without passwords?
  • What’s the process for setting up new users securely without relying on passwords?

These questions prompted a deeper investigation into our overall passwordless strategy and potential alternatives.

Exploring Passkeys – The Initial Hurdles

In our research, we considered using Passkeys, which are quickly gaining traction among large vendors and industries. However, Entra ID’s current implementation of Passkeys was less than ideal; it requires scanning a QR code each time a user logs in. This would be disruptive and impractical for many users, so we opted to explore other methods.

Building Our Passwordless Framework

Our first steps involved enabling specific passwordless features and conditional access policies, including Microsoft’s Authenticator App and phone-based sign-in. This setup allowed us to test the login experience in a controlled environment. However, early trials revealed unexpected login loops, which, fortunately, we could address within a test tenant before rolling out to our main environment.

Implementing Temporary Access Passwords (TAP)

To further support the passwordless shift, we experimented with Temporary Access Passwords (TAP), a feature that allows users to access their accounts for initial setup without a permanent password. TAP was effective for most applications except Windows itself. We needed a solution for users who might forget their PIN or need to reset their passwordless credentials on a Windows device.  To address the issue of Windows compatibility with TAP, we enabled Web Login for Windows 11, which provides an Entra ID-based login similar to other IDP solutions like Okta. This feature allowed users to log in with their Entra credentials, making it possible to use TAP for setup and reset.

Managing Passwords Post-Setup

With our passwordless login process working smoothly, we still needed a way to handle the passwords created during the new user setup process. Since Entra ID doesn’t support complex password requirements for these initial passwords, we’ve been developing a custom script to reset and scramble employee passwords after setup, ensuring no default passwords remain active. This process is now a part of our standard new user onboarding and helps us maintain security.

What’s Next? Exploring Alternatives

While we’ve made significant progress with Entra ID’s passwordless capabilities, the solution still feels incomplete. Microsoft’s current passwordless setup requires additional customizations and workarounds to meet our standards for usability and security. As such, we’re exploring alternatives, such as Okta, to see if they offer a more comprehensive and seamless passwordless experience.

Final Thoughts

Going passwordless is a promising yet challenging endeavor, especially within complex environments. Our journey with Entra ID has highlighted both the potential and limitations of Microsoft’s current offerings. We’re committed to refining this process to provide the best possible experience for our clients and will continue to evaluate other solutions in the market.

Looking to go
Passwordless?

RELATED POSTS

Why It’s Time to Retire Old Security Habits—And How EMBER Is Already Ahead of the Curve

Still relying on legacy VPNs or SMS MFA? You’re not alone—but you’re also not secure. A recent CSO Online article highlights security practices that need to go. EMBER’s already ahead, with a zero trust, risk-aligned, cloud-native approach that replaces checkboxes with real resilience.

Read More »
Why Our SOC 2 Type 2 Certification Matters — and Why We’re Committed to It

EMBER is proud to maintain SOC 2 Type 2 certification, the gold standard for independently-audited data protection.

Read More »
Why Tabletop Exercises Matter for Cybersecurity Readiness

Tabletop exercises reveal more than gaps — they show how far your team has come and how real confidence in response is earned before an incident.

Read More »
Top 5 Tips for Staying Secure During the Holidays

Eric Lancy, Manager, Security & Platform, shares his top 5 tips for staying secure during the holidays.  Update New Devices  When you get new gadgets over the holidays—like a shiny new smartwatch, tablet, phone, or computer—one of the first things you should do is update the software. Those updates aren’t just for new features; they […]

Read More »
Why Microsoft’s Shift from Azure AD to Entra ID Makes Sense

EMBER and a lot of our clients live in the Microsoft ecosystem.  We certify our technicians, use the highest available SKUs (MS-E5), utilize all their security products (along with strategic third-party tools where needed), and of course, follow Microsoft tech news closely.  Recent news caught my attention, which deserves a bit of spotlight: the rebranding […]

Read More »

Get the latest insights delivered to your inbox