Number matching with Microsoft Authenticator App in Azure MFA

Number matching and passwordless phone sign-in. I was used to it for a couple of months already because this feature was previously launched for personal Microsoft accounts like Outlook or Hotmail. It’s now available (preview) in Azure AD to use with your work or school account.

When this feature is enabled, users are asked to match the number in the sign-in screen with the number in the Authenticator app. After that, the user needs to authenticate through PIN or biometric like fingerprint or face-ID to complete the authentication flow.


Your tenant must be enabled for MFA with push notifications through the Microsoft Authenticator app in order to use this method. Also, make sure the combined registration portal is enabled.

To enable the passwordless feature with number matching, access the MFA additional settings portal (the very ugly one) and check if the Authenticator app push notification is checked.

Phone sign-in

To use this passwordless feature, your phone needs to be Azure AD registered (not MDM). If the user is eligible for passwordless sign-in, the feature can be enabled in the Authenticator app.

Make sure that the user has configured the default sign-in method to Microsoft Authenticator – notification. This can be done via

Enable passwordless sign-in

To enable the authentication method for passwordless phone sign-in, complete the following steps:

  1. Sign in to the Azure portal with a global administrator account.
  2. Search for and select Azure Active Directory, then browse to Security > Authentication methods > Policies.
  3. Under Microsoft Authenticator (preview), choose the following options:
    1. Enable – Yes or No
    2. Target – All users or Select users
  4. Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes (“Any” mode). To change this, for each row:
    1. Browse to  > Configure.
    2. For Authentication mode – Any, Passwordless, or Push
  5. To apply the new policy, select Save.

Experience – first time

The first time a user starts the phone sign-in process, the user performs the following steps:

1. Enters the username on the sign-in page.
2. Selects Next.
3. If necessary, select “Other ways to sign in“, or “use an app instead
4. Selects Approve a request on my Microsoft Authenticator app.
5. The user is then presented with a number. The app prompts the user to authenticate by selecting the appropriate number, instead of by entering a password.

Experience after the first time

When the user has signed-in using the new passwordless method, the next time this method is used automatically. The user can then switch to a password if needed. Check out this short video to see what the experience is like:

Read more

Get started with this new feature today! You can enable this for just a couple of users, or for your entire organization. Your users will love it! The full documentation can be found here:

Passwordless sign-in with the Microsoft Authenticator app – Azure Active Directory | Microsoft Docs

Stay safe!

Jan Bakker
I am a cloud consultant based in the Netherlands. I spend my days helping organizations make the most out of their Microsoft (cloud) products. With over 10 years of experience, I can quickly oversee problems and come up with solid solutions. I am experienced in Microsoft 365, so Windows 10, Enterprise Mobility & Security and Office 365. Basically everything up and around the Modern Workplace.

Related Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected


Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles