Support for Microsoft Passport (Win10) for Work added to Intune

Support for Microsoft Passport (Win10) for Work added to Intune

ms-passport-00Microsoft has added support for Microsoft Passport for Work as an alternative sign-in method for Windows 10 users.

If users of a Windows 10 device use Active Directory or Azure Active Directory to authenticate the password, smart card or virtual smart card can be replaced for Microsoft Password. As an Intune admin you are able to configure how Microsoft Passport is going to behave. Let’s have a look!

When enabling the feature under Admin > Mobile Device Management > Windows > Windows Passport.

Microsoft Passport settings

Microsoft Passport settings

The following settings can be configured for Microsoft Password for Work:

Setting Setting Description
Use a Trusted Platform Module (TPM) Preferred or Required The TMP chip provides an extra layer of data security
Require minimum PIN length 4-127 The minimum PIN length
Require maximum PIN length: 4-127 The maximum PIN length
Require lowercase letters in PIN: Allowed, not allowed, Required Configure complexity of the PIN and allow, not allow or require a PIN with lowercase letters.
Require uppercase letters in PIN: Allowed, not allowed, Required Configure complexity of the PIN and allow, not allow or require a PIN with uppercase letters.
Require special characters in PIN: Allowed, not allowed, Required Configure complexity of the PIN and allow, not allow or require a PIN with special characters.
PIN expiration (days): Numeric value (41) PIN will be expired after an X number of days
Remember PIN history: Numeric value (5) PIN will be remembered for an X number of changes.
Allow biometric authentication: No/Yes Allow biometric authentication like Windows Hellos face recognition or iris scan.
Use enhanced anti-spoofing, when available No/Yes/Not configured If not configured, users can choose to use the enhanced anti-spoofing on supported devices, or not.
Use Remote Passport: No/Yes Use Remote Passport as a portable companion device for desktop authentication. Azure AD is required.

After enabling the support for Microsoft Passport the user is forced to create a PIN as configuredby the organization like shown below.

Creation of the PIN is forced

Creation of the PIN is forced

The first step is that the account/idenity needs to be verified via MFA like an SMS, a phone call or via a challenge response app from Azure AD.

Supply a phone number to prove your identity

Supply a phone number to prove your identity

After it is all being verified a PIN can be set according to the settings configured in Microsoft Intune.

Configure the PIN according the settings in Intune

Configure the PIN according the settings in Intune

Not all tenants have already been upgraded yet, as far as I know Europe 01 and North America 01 are and the current version number of Intune can be found here.

Comments

 
Comments

Trackbacks for this post

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.

 
Read previous post:
Microsoft Intune, Android and device encryption, some tips

Mobile devices with Android are very popular but still a pain to really manage them Read more

Close