CINXE.COM

<!DOCTYPE html><html class="hasSidebar hasPageActions hasBreadcrumb conceptual has-default-focus theme-light" lang="en-us" dir="ltr" data-authenticated="false" data-auth-status-determined="false" data-target="docs" x-ms-format-detection="none"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta property="og:title" content="Microsoft Entra passwordless sign-in - Microsoft Entra ID" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless" /><meta property="og:description" content="Learn about options for passwordless sign-in to Microsoft Entra ID using FIDO2 security keys or Microsoft Authenticator." /><meta property="og:image" content="https://learn.microsoft.com/en-us/media/open-graph-image.png" /> <meta property="og:image:alt" content="Microsoft Learn" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@MicrosoftLearn" /> <meta name="color-scheme" content="light dark"><meta name="author" content="Justinha" /> <meta name="breadcrumb_path" content="/entra/breadcrumb/toc.json" /> <meta name="depot_name" content="MSDN.entra-docs" /> <meta name="description" content="Learn about options for passwordless sign-in to Microsoft Entra ID using FIDO2 security keys or Microsoft Authenticator." /> <meta name="document_id" content="ae3dbcad-9d0d-c32d-7b02-2a3ffe291b2e" /> <meta name="document_version_independent_id" content="4f716e15-73a2-71a0-53ba-801b6097c479" /> <meta name="feedback_help_link_type" content="" /> <meta name="feedback_help_link_url" content="" /> <meta name="feedback_product_url" content="https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789" /> <meta name="feedback_system" content="Standard" /> <meta name="git_commit_id" content="c799d0abd715c4b95c77e2ca2c967be40c99462f" /> <meta name="gitcommit" content="https://github.com/MicrosoftDocs/entra-docs-pr/blob/c799d0abd715c4b95c77e2ca2c967be40c99462f/docs/identity/authentication/concept-authentication-passwordless.md" /> <meta name="locale" content="en-us" /> <meta name="manager" content="amycolannino" /> <meta name="ms.author" content="justinha" /> <meta name="ms.date" content="08/05/2024" /> <meta name="ms.reviewer" content="calui" /> <meta name="ms.service" content="entra-id" /> <meta name="ms.subservice" content="authentication" /> <meta name="ms.topic" content="conceptual" /> <meta name="original_content_git_url" content="https://github.com/MicrosoftDocs/entra-docs-pr/blob/live/docs/identity/authentication/concept-authentication-passwordless.md" /> <meta name="page_type" content="conceptual" /> <meta name="schema" content="Conceptual" /> <meta name="site_name" content="Docs" /> <meta name="toc_rel" content="toc.json" /> <meta name="uhfHeaderId" content="MSDocsHeader-Entra" /> <meta name="updated_at" content="2024-08-06 05:12 PM" /> <meta name="word_count" content="3052" /> <meta name="persistent_id" content="38541885-9bc0-df71-8dbe-3891713e7b29" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/1433a524-c01f-4b87-beab-670c040dea4f" data-source="generated" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/798bd9d1-9cc5-4fc7-b0e5-8699d1f6ce2a" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/312f1f05-a431-4193-8a4d-e6245d5966de" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/b5dc5f65-34a8-4bfc-9917-97d1e20c88b2" data-source="generated" /> <meta name="scope" content="Microsoft Entra" /><meta name="github_feedback_content_git_url" content="https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/authentication/concept-authentication-passwordless.md" /><link href="https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless" rel="canonical"><title>Microsoft Entra passwordless sign-in - Microsoft Entra ID | Microsoft Learn</title><link rel="stylesheet" href="/static/assets/0.4.028726178/styles/site-ltr.css"> <script id="msdocs-script"> var msDocs = {environment: { supportLevel: 'production', accessLevel: 'online', reviewFeatures: false, systemContent: true, azurePortalHostname: 'portal.azure.com', legacyHosting: false, siteName: 'learn', },data: { timeOrigin: Date.now(), contentLocale: 'en-us', contentDir: 'ltr', userLocale: 'en-us', userDir: 'ltr', pageTemplate: 'Conceptual', brand: 'entra', context: {}, hasBinaryRating: true, feedbackHelpLinkType:'', feedbackHelpLinkUrl:'', standardFeedback: true, showFeedbackReport: false, enableTutorialFeedback: false, feedbackSystem: 'Standard', feedbackGitHubRepo: 'MicrosoftDocs/entra-docs', feedbackProductUrl: 'https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789',extendBreadcrumb: false,isEditDisplayable: true, hideViewSource: false, hasPageActions: true, hasPrintButton: true, hasBookmark: true, hasShare: true, isPermissioned: false, isPrivateUnauthorized: false,hasRecommendations: true,contributors: [{ name: "Justinha", url: "https://github.com/Justinha" },{ name: "tilarso", url: "https://github.com/tilarso" },{ name: "alexbuckgit", url: "https://github.com/alexbuckgit" },{ name: "cilwerner", url: "https://github.com/cilwerner" },{ name: "mepples21", url: "https://github.com/mepples21" },{ name: "CelesteDG", url: "https://github.com/CelesteDG" },{ name: "v-alje", url: "https://github.com/v-alje" },{ name: "lorieide", url: "https://github.com/lorieide" },{ name: "MicrosoftGuyJFlo", url: "https://github.com/MicrosoftGuyJFlo" },{ name: "martincoetzer", url: "https://github.com/martincoetzer" },{ name: "BryanLa", url: "https://github.com/BryanLa" },{ name: "cmcclister", url: "https://github.com/cmcclister" },{ name: "pritamso", url: "https://github.com/pritamso" },{ name: "prmerger-automator[bot]", url: "https://github.com/prmerger-automator[bot]" },{ name: "matthewisbell", url: "https://github.com/matthewisbell" },{ name: "HAMATHAR", url: "https://github.com/HAMATHAR" },{ name: "adrianwells", url: "https://github.com/adrianwells" },{ name: "curtand", url: "https://github.com/curtand" },{ name: "atikmapari", url: "https://github.com/atikmapari" },{ name: "v-kents", url: "https://github.com/v-kents" },{ name: "PRMerger18", url: "https://github.com/PRMerger18" },{ name: "PRMerger16", url: "https://github.com/PRMerger16" },{ name: "v-rajagt-zz", url: "https://github.com/v-rajagt-zz" },{ name: "knicholasa", url: "https://github.com/knicholasa" },{ name: "PRMerger8", url: "https://github.com/PRMerger8" },{ name: "RavennMSFT", url: "https://github.com/RavennMSFT" },{ name: "iainfoulds", url: "https://github.com/iainfoulds" },{ name: "StevenTCramer", url: "https://github.com/StevenTCramer" },{ name: "v-shmck", url: "https://github.com/v-shmck" },{ name: "PRMerger7", url: "https://github.com/PRMerger7" },{ name: "TheAlistairRoss", url: "https://github.com/TheAlistairRoss" },{ name: "v-dihans", url: "https://github.com/v-dihans" },{ name: "megvanhuygen", url: "https://github.com/megvanhuygen" },{ name: "DCtheGeek", url: "https://github.com/DCtheGeek" },{ name: "TimShererWithAquent", url: "https://github.com/TimShererWithAquent" },{ name: "rgsteele", url: "https://github.com/rgsteele" },{ name: "PRMerger9", url: "https://github.com/PRMerger9" },{ name: "SaurabhSharma-MSFT", url: "https://github.com/SaurabhSharma-MSFT" },{ name: "Jak-MS", url: "https://github.com/Jak-MS" },{ name: "garycentric", url: "https://github.com/garycentric" },{ name: "ManojReddy-MSFT", url: "https://github.com/ManojReddy-MSFT" },{ name: "GilKirkpatrick", url: "https://github.com/GilKirkpatrick" },{ name: "American-Dipper", url: "https://github.com/American-Dipper" }],}, functions:{} }; </script><script src="https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js"></script> <script src="https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js"></script><script src="/static/assets/0.4.028726178/global/deprecation.js"></script><script src="/static/assets/0.4.028726178/scripts/en-us/index-docs.js"></script></head> <body lang="en-us" dir="ltr"> <div class="header-holder has-default-focus"> <a href="#main" style="z-index: 1070" class="outline-color-text visually-hidden-until-focused position-fixed inner-focus focus-visible top-0 left-0 right-0 padding-xs text-align-center has-body-background" tabindex="1">Skip to main content</a><div hidden id="cookie-consent-holder" data-test-id="cookie-consent-container"></div> <div id="unsupported-browser" style=" background-color: white; color: black; padding: 16px; border-bottom: 1px solid grey;" hidden > <div style="max-width: 800px; margin: 0 auto;"> <p style="font-size: 24px">This browser is no longer supported.</p> <p style="font-size: 16px; margin-top: 16px;">Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.</p> <div style="margin-top: 12px;"> <a href="https://go.microsoft.com/fwlink/p/?LinkID=2092881 " style=" background-color: #0078d4; border: 1px solid #0078d4; color: white; padding: 6px 12px; border-radius: 2px; display: inline-block; ">Download Microsoft Edge</a> <a href="https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge" style=" background-color: white; padding: 6px 12px; border: 1px solid #505050; color: #171717; border-radius: 2px; display: inline-block; ">More info about Internet Explorer and Microsoft Edge</a> </div> </div> </div>   <header id="ms--site-header" data-test-id="site-header-wrapper" role="banner" itemscope="itemscope" itemtype="http://schema.org/Organization"> <div id="ms--mobile-nav" class="site-header display-none-tablet padding-inline-none gap-none" data-bi-name="mobile-header" data-test-id="mobile-header"></div> <div id="ms--primary-nav" class="site-header display-none display-flex-tablet" data-bi-name="L1-header" data-test-id="primary-header"></div> <div id="ms--secondary-nav" class="site-header display-none display-flex-tablet" data-bi-name="L2-header" data-test-id="secondary-header"></div> </header><div id="content-header" class="content-header uhf-container has-padding has-default-focus border-bottom-none" data-bi-name="content-header"> <div class="content-header-controls margin-xxs margin-inline-sm-tablet"> <button type="button" class="contents-button button button-sm margin-right-xxs" data-bi-name="contents-expand" aria-haspopup="true" data-contents-button> <span class="icon"><span class="docon docon-menu" aria-hidden="true"></span></span> <span class="contents-expand-title">Table of contents</span> </button> <button type="button" class="ap-collapse-behavior ap-expanded button button-sm" data-bi-name="ap-collapse" aria-controls="action-panel"> <span class="icon"><span class="docon docon-exit-mode" aria-hidden="true"></span></span> <span>Exit focus mode</span> </button> </div> </div><div id="disclaimer-holder" class="has-overflow-hidden has-default-focus">  </div> </div> <div class="mainContainer uhf-container has-default-focus" data-bi-name="body"> <div class="columns has-large-gaps is-gapless-mobile "><div id="left-container" class="left-container is-hidden-mobile column is-one-third-tablet is-one-quarter-desktop"> <nav id="affixed-left-container" class="margin-top-sm-tablet position-sticky display-flex flex-direction-column" aria-label="Primary"></nav> </div> <section class="primary-holder column is-two-thirds-tablet is-three-quarters-desktop">  <div class="columns is-gapless-mobile has-large-gaps "><div id="main-column" class="column is-full is-8-desktop"> <main id="main" class="" role="main" data-bi-name="content" lang="en-us" dir="ltr"> <div id="article-header" class="background-color-body margin-top-sm-tablet margin-bottom-xs display-none-print"> <div class="display-flex align-items-center "><details id="article-header-breadcrumbs-overflow-popover" class="popover" data-for="article-header-breadcrumbs"> <summary class="button button-clear button-primary button-sm inner-focus" aria-label="All breadcrumbs"> <span class="icon"> <span class="docon docon-more"></span> </span> </summary> <div id="article-header-breadcrumbs-overflow" class="popover-content padding-none"> </div> </details> <bread-crumbs id="article-header-breadcrumbs" data-test-id="article-header-breadcrumbs" class="overflow-hidden flex-grow-1 margin-right-sm margin-right-md-tablet margin-right-lg-desktop margin-left-negative-xxs padding-left-xxs"></bread-crumbs><div id="article-header-page-actions" class="opacity-none margin-left-auto display-flex flex-wrap-no-wrap align-items-stretch"><a id="lang-link-tablet" class="button button-primary button-clear button-sm display-none display-inline-flex-tablet" title="Read in English" data-bi-name="language-toggle" data-read-in-link hidden> <span class="icon margin-none" aria-hidden="true" data-read-in-link-icon> <span class="docon docon-locale-globe"></span> </span> <span class="is-visually-hidden" data-read-in-link-text>Read in English</span> </a><button type="button" class="collection button button-clear button-sm button-primary display-none display-inline-flex-tablet" data-list-type="collection" data-bi-name="collection" title="Add to collection"> <span class="icon margin-none" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="collection-status is-visually-hidden">Save</span> </button><a data-contenteditbtn class="button button-clear button-sm text-decoration-none button-primary display-none display-inline-flex-tablet" aria-label="Edit" title="Edit This Document" data-bi-name="edit" href="https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/authentication/concept-authentication-passwordless.md" data-original_content_git_url="https://github.com/MicrosoftDocs/entra-docs-pr/blob/live/docs/identity/authentication/concept-authentication-passwordless.md" data-original_content_git_url_template="{repo}/blob/{branch}/docs/identity/authentication/concept-authentication-passwordless.md" data-pr_repo="" data-pr_branch=""> <span class="icon margin-none" aria-hidden="true"> <span class="docon docon-edit-outline"></span> </span> </a> <details class="popover popover-right" id="article-header-page-actions-overflow"> <summary class="justify-content-flex-start button button-clear button-sm button-primary" aria-label="More actions" title="More actions"> <span class="icon" aria-hidden="true"> <span class="docon docon-more-vertical"></span> </span> </summary> <div class="popover-content padding-xs"><button data-page-action-item="overflow-mobile" type="button" class="justify-content-flex-start button-block button-sm has-inner-focus button button-clear display-none-tablet" data-bi-name="contents-expand" data-contents-button data-popover-close> <span class="icon"> <span class="docon docon-editor-list-bullet" aria-hidden="true"></span> </span><span class="contents-expand-title">Table of contents</span></button><a id="lang-link-overflow" class="justify-content-flex-start button-sm has-inner-focus button button-clear button-block display-none-tablet" title="Read in English" data-bi-name="language-toggle" data-page-action-item="overflow-mobile" data-check-hidden="true" data-read-in-link hidden > <span class="icon" aria-hidden="true" data-read-in-link-icon> <span class="docon docon-locale-globe"></span> </span> <span data-read-in-link-text>Read in English</span> </a><button type="button" class="collection justify-content-flex-start button button-clear button-sm has-inner-focus button-block display-none-tablet" data-list-type="collection" data-bi-name="collection" title="Save" data-page-action-item="overflow-mobile" data-check-hidden="true" data-popover-close> <span class="icon" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="collection-status">Save</span> </button> <button type="button" class="collection justify-content-flex-start button button-clear button-sm has-inner-focus button-block display-none-tablet" data-list-type="plan" data-bi-name="plan" title="Add to Plan" data-page-action-item="overflow-mobile" data-check-hidden="true" data-popover-close hidden> <span class="icon" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="plan-status">Add to Plan</span> </button><a data-contenteditbtn class="button button-clear button-block button-sm has-inner-focus justify-content-flex-start text-decoration-none display-none-tablet" aria-label="Edit" title="Edit This Document" data-bi-name="edit" href="https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/authentication/concept-authentication-passwordless.md" data-original_content_git_url="https://github.com/MicrosoftDocs/entra-docs-pr/blob/live/docs/identity/authentication/concept-authentication-passwordless.md" data-original_content_git_url_template="{repo}/blob/{branch}/docs/identity/authentication/concept-authentication-passwordless.md" data-pr_repo="" data-pr_branch=""> <span class="icon" aria-hidden="true"> <span class="docon docon-edit-outline"></span> </span> <span>Edit</span> </a><div aria-hidden="true" class="margin-none" data-page-action-item="overflow-all"></div> <hr class="display-none-tablet margin-bottom-xxs margin-top-xxs" /> <h4 class="font-size-sm padding-left-xxs">Share via</h4> <a class="button button-clear button-sm button-block has-inner-focus text-decoration-none justify-content-flex-start share-facebook" data-bi-name="facebook" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-facebook-share font-size-md color-primary"></span> </span> <span class="margin-left-xxs">Facebook</span> </a> <a class="button button-clear button-sm has-inner-focus button-block text-decoration-none justify-content-flex-start share-twitter" data-bi-name="twitter" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-xlogo-share font-size-xxs"></span> </span> <span class="margin-left-xxs">x.com</span> </a> <a class="button button-clear button-sm has-inner-focus button-block text-decoration-none justify-content-flex-start share-linkedin" data-bi-name="linkedin" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-linked-in-logo font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">LinkedIn</span> </a> <a class="button button-clear button-sm button-block has-inner-focus text-decoration-none justify-content-flex-start margin-bottom-xxs share-email" data-bi-name="email" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-mail-message font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">Email</span> </a><hr /> <button class="button button-block button-clear button-sm justify-content-flex-start has-inner-focus margin-top-xxs" title="Print" type="button" aria-label="Print" data-bi-name="print" data-page-action-item="overflow-all" data-popover-close data-print-page data-check-hidden="true"> <span class="icon" aria-hidden="true"> <span class="docon docon-print font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">Print</span> </button> </div> </details> </div></div> </div> <div> <button type="button" class="border contents-button button button-clear button-sm is-hidden-tablet has-inner-focus" data-bi-name="contents-expand" data-contents-button hidden> <span class="icon"> <span class="docon docon-editor-list-bullet" aria-hidden="true"></span> </span><span class="contents-expand-title">Table of contents</span></button> </div> <div class="content "><h1 id="passwordless-authentication-options-for-microsoft-entra-id">Passwordless authentication options for Microsoft Entra ID</h1><div class="display-flex justify-content-space-between align-items-center flex-wrap-wrap page-metadata-container"> <div class="margin-right-xxs"> <ul class="metadata page-metadata" data-bi-name="page info" lang="en-us" dir="ltr"><li>Article</li><li class="visibility-hidden-visual-diff"><time class="is-invisible" data-article-date aria-label="Article review date" datetime="2024-08-06T17:12:00Z" data-article-date-source="calculated">08/06/2024</time> </li><li class="contributors-holder display-none-print"> <button aria-label="View all contributors" class="contributors-button link-button" data-bi-name="contributors" title="View all contributors">43 contributors</button> </li></ul> </div> <div id="user-feedback" class="margin-block-xxs display-none-print" data-hide-on-archived> <button id="user-feedback-button" data-test-id="conceptual-feedback-button" class="button button-sm button-clear button-primary" type="button" data-bi-name="user-feedback-button" data-user-feedback-button > <span class="icon" aria-hidden="true"> <span class="docon docon-like"></span> </span> <span>Feedback</span> </button> </div></div><nav id="center-doc-outline" class="doc-outline is-hidden-desktop display-none-print margin-bottom-sm" data-bi-name="intopic toc" aria-label="In this article"> <h2 id="ms--in-this-article" class="title is-6 margin-block-xs">In this article</h2> </nav><p>Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the extra security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have or something you are or know.</p> <table> <thead> <tr> <th>Authentication</th> <th>Something you have</th> <th>Something you are or know</th> </tr> </thead> <tbody> <tr> <td>Passwordless</td> <td>Windows 10 Device, phone, or security key</td> <td>Biometric or PIN</td> </tr> </tbody> </table> <p>Each organization has different needs when it comes to authentication. Microsoft Entra ID and Azure Government integrate the following passwordless authentication options:</p> <ul> <li>Windows Hello for Business</li> <li>Platform Credential for macOS</li> <li>Platform single sign-on (PSSO) for macOS with smart card authentication</li> <li>Microsoft Authenticator</li> <li>Passkeys (FIDO2)</li> <li>Certificate-based authentication</li> </ul> <p><img src="media/concept-authentication-passwordless/passwordless-convenience-security.png" alt="Authentication: Security versus convenience" data-linktype="relative-path"></p> <h2 id="windows-hello-for-business">Windows Hello for Business</h2> <p>Windows Hello for Business is ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.</p> <p><img src="media/concept-authentication-passwordless/windows-hello-sign-in.jpg" alt="Example of a user sign-in with Windows Hello for Business." data-linktype="relative-path"></p> <p>The following steps show how the sign-in process works with Microsoft Entra ID:</p> <p><img src="media/concept-authentication-passwordless/windows-hello-flow.png" alt="Diagram that outlines the steps involved for user sign-in with Windows Hello for Business" data-linktype="relative-path"></p> <ol> <li>A user signs into Windows using biometric or PIN gesture. The gesture unlocks the Windows Hello for Business private key and is sent to the Cloud Authentication security support provider, called the <em>Cloud Authentication Provider (CloudAP)</em>. For more information about CloudAP, see <a href="../devices/concept-primary-refresh-token" data-linktype="relative-path">What is a Primary Refresh Token?</a>.</li> <li>The CloudAP requests a nonce (a random arbitrary number that can be used once) from Microsoft Entra ID.</li> <li>Microsoft Entra ID returns a nonce that's valid for 5 minutes.</li> <li>The CloudAP signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.</li> <li>Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID validates the signature, and then validates the returned signed nonce. When the nonce is validated, Microsoft Entra ID creates a primary refresh token (PRT) with session key that is encrypted to the device's transport key, and returns it to the CloudAP.</li> <li>The CloudAP receives the encrypted PRT with session key. The CloudAP uses the device's private transport key to decrypt the session key, and protects the session key by using the device's Trusted Platform Module (TPM).</li> <li>The CloudAP returns a successful authentication response to Windows. The user is then able to access Windows and cloud and on-premises applications by using seamless sign-on (SSO).</li> </ol> <p>The Windows Hello for Business <a href="/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide" data-linktype="absolute-path">planning guide</a> can be used to help you make decisions on the type of Windows Hello for Business deployment and the options you need to consider.</p> <h2 id="platform-credential-for-macos">Platform Credential for macOS</h2> <p>Platform Credential for macOS is a new capability on macOS that is enabled using the Microsoft Enterprise single sign-on Extension (SSOe). It provisions a secure enclave backed hardware-bound cryptographic key that is used for SSO across apps that use Microsoft Entra ID for authentication. The user鈥檚 local account password is not affected and is required to log on to the Mac.</p> <p><img src="media/concept-authentication-passwordless/macos-platform-sso.png" alt="Screenshot showing an example of a pop up window prompting user to register their macOS account with their identity provider using Platform single sign-on." data-linktype="relative-path"></p> <p>Platform Credential for macOS allows users to go passwordless by configuring Touch ID to unlock the device, and uses phish-resistant credentials, based on Windows Hello for Business technology. This saves customer organizations money by removing the need for security keys and advances Zero Trust objectives using integration with the Secure Enclave.</p> <p>Platform Credential for macOS can also be used as a phishing-resistant credential for use in WebAuthn challenges, including browser re-authentication scenarios. Authentication Policy Administrators need to enable the <strong>Passkey (FIDO2)</strong> authentication method to support Platform Credential for macOS as a phishing-resistant credential. If you use Key Restriction Policies in your FIDO policy, you need to add the AAGUID for the macOS Platform Credential to your list of allowed AAGUIDs: <code>7FD635B3-2EF9-4542-8D9D-164F2C771EFC</code>.</p> <p><img src="media/concept-authentication-passwordless/macos-platform-single-sign-on-flow.png" alt="Diagram that outlines the steps involved for user sign-in with macOS Platform SSO." data-linktype="relative-path"></p> <ol> <li>A user unlocks macOS using fingerprint or password gesture, which unlocks the key bag to provide access to UserSecureEnclaveKey.</li> <li>The macOS requests a nonce (a random arbitrary number that can be used just once) from Microsoft Entra ID.</li> <li>Microsoft Entra ID returns a nonce that's valid for 5 minutes.</li> <li>The operating system (OS) sends a login request to Microsoft Entra ID with an embedded assertion signed with the UserSecureEnclaveKey that resides in the Secure Enclave.</li> <li>Microsoft Entra ID validates the signed assertion using the user's securely registered public key of UserSecureEnclave key. Microsoft Entra ID validates the signature and nonce. Once the assertion is validated, Microsoft Entra ID creates a <a href="../devices/concept-primary-refresh-token" data-linktype="relative-path">primary refresh token (PRT)</a> encrypted with the public key of the UserDeviceEncryptionKey that is exchanged during registration and sends the response back to the OS.</li> <li>The OS decrypts and validates the response, retrieves the SSO tokens, stores and shares it with the SSO extension for providing SSO. The user is able to access macOS, cloud and on-premises applications by using SSO.</li> </ol> <p>Refer to <a href="../devices/macos-psso" data-linktype="relative-path">macOS Platform SSO</a> for more information on how to configure and deploy Platform Credential for macOS.</p> <h2 id="platform-single-sign-on-for-macos-with-smartcard">Platform single sign-on for macOS with SmartCard</h2> <p>Platform single sign-on (PSSO) for macOS allows users to go passwordless using the SmartCard authentication method. The user signs in to the machine using an external smart card, or smart card-compatible hard token (such as Yubikey). Once the device is unlocked, the smart card is used with Microsoft Entra ID to grant SSO across apps that use Microsoft Entra ID for authentication using <a href="#certificate-based-authentication" data-linktype="self-bookmark">certificate-based authentication (CBA)</a>. CBA needs to be configured and enabled for users for this feature to work. For configuring CBA, refer to <a href="how-to-certificate-based-authentication" data-linktype="relative-path">How to configure Microsoft Entra certificate-based authentication</a>.</p> <p>To enable it, an administrator needs to configure PSSO by using Microsoft Intune or another supported Mobile Device Management (MDM) solution.</p> <p><img src="media/concept-authentication-passwordless/macos-platform-single-sign-on-flow.png" alt="Diagram that outlines the steps involved for user sign-in with macOS Platform SSO." data-linktype="relative-path"></p> <ol> <li>A user unlocks macOS using smart card pin, which unlocks the smart card and the key bag to provide access to device registration keys present in Secure Enclave.</li> <li>The macOS requests a nonce (a random arbitrary number that can be used only once) from Microsoft Entra ID.</li> <li>Microsoft Entra ID returns a nonce that's valid for 5 minutes.</li> <li>The operating system (OS) sends a login request to Microsoft Entra ID with an embedded assertion signed with the user's Microsoft Entra certificate from the smart card.</li> <li>Microsoft Entra ID validates the signed assertion, signature and nonce. Once the assertion is validated, Microsoft Entra ID creates a <a href="../devices/concept-primary-refresh-token" data-linktype="relative-path">primary refresh token (PRT)</a> encrypted with the public key of the UserDeviceEncryptionKey that is exchanged during registration and sends the response back to the OS.</li> <li>The OS decrypts and validates the response, retrieves the SSO tokens, stores and shares it with the SSO extension for providing SSO. The user is able to access macOS, cloud and on-premises applications by using SSO.</li> </ol> <h2 id="microsoft-authenticator">Microsoft Authenticator</h2> <p>You can also allow your employee's phone to become a passwordless authentication method. You could already be using the Authenticator app as a convenient multifactor authentication option in addition to a password. You can also use the Authenticator App as a passwordless option.</p> <p><img src="media/concept-authentication-passwordless/concept-web-sign-in-microsoft-authenticator-app.png" alt="Sign in to Microsoft Edge with the Microsoft Authenticator" data-linktype="relative-path"></p> <p>The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone. Then they can use their biometric (touch or face) or PIN to confirm. For installation details, see <a href="https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a" data-linktype="external">Download and install the Microsoft Authenticator</a>.</p> <p>Passwordless authentication using Microsoft Authenticator follows the same basic pattern as Windows Hello for Business. It's a little more complicated as the user needs to be identified so that Microsoft Entra ID can find the Authenticator app version being used:</p> <p><img src="media/concept-authentication-passwordless/authenticator-app-flow.png" alt="Diagram that outlines the steps involved for user sign-in with the Microsoft Authenticator App" data-linktype="relative-path"></p> <ol> <li>The user enters their username.</li> <li>Microsoft Entra ID detects that the user has a strong credential and starts the Strong Credential flow.</li> <li>A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.</li> <li>The user receives the push notification and opens the app.</li> <li>The app calls Microsoft Entra ID and receives a proof-of-presence challenge and nonce.</li> <li>The user completes the challenge by entering their biometric or PIN to unlock private key.</li> <li>The nonce is signed with the private key and sent back to Microsoft Entra ID.</li> <li>Microsoft Entra ID performs public/private key validation and returns a token.</li> </ol> <p>To get started with passwordless sign-in, complete the following how-to:</p> <div class="nextstepaction"> <p><a href="howto-authentication-passwordless-phone" data-linktype="relative-path">Enable passwordless sign using the Authenticator app</a></p> </div> <h2 id="passkeys-fido2">Passkeys (FIDO2)</h2> <p>Users can register a passkey (FIDO2) and choose it as their primary sign-in method. With a hardware device that handles the authentication, the security of an account is increased as there's no password that can be exposed or guessed. Currently in preview, an Authentication Administrator can also <a href="https://aka.ms/passkeyprovision" data-linktype="external">provision a FIDO2 security</a> on behalf of a user by using Microsoft Graph API and a custom client. Provisioning on behalf of users is currently limited to security keys at this time.</p> <p>The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard. FIDO allows organizations to apply the WebAuthn standard by using an external security key, or a platform key built into a device, to sign in without a username or password.</p> <p>FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. They're commonly USB devices, but they can also use Bluetooth or near-field communication (NFC). Passkeys (FIDO2) are based on the same WebAuthn standard and can be saved in Authenticator, or on mobile devices, tablets, or computers.</p> <p>FIDO2 security keys can be used to sign in to their Microsoft Entra ID or Microsoft Entra hybrid joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.</p> <p>For more information about passkey (FIDO2) support, see <a href="fido2-compatibility" data-linktype="relative-path">Support for passkey (FIDO2) authentication with Microsoft Entra ID</a>. For developer best practices, see <a href="../../identity-platform/support-fido2-authentication" data-linktype="relative-path">Support FIDO2 auth in the applications they develop</a>.</p> <p><img src="media/concept-authentication-passwordless/concept-web-sign-in-security-key.png" alt="Sign in to Microsoft Edge with a security key" data-linktype="relative-path"></p> <p>The following process is used when a user signs in with a FIDO2 security key:</p> <p><img src="media/concept-authentication-passwordless/fido2-security-key-flow.png" alt="Diagram that outlines the steps involved for user sign-in with a FIDO2 security key" data-linktype="relative-path"></p> <ol> <li>The user plugs the FIDO2 security key into their computer.</li> <li>Windows detects the FIDO2 security key.</li> <li>Windows sends an authentication request.</li> <li>Microsoft Entra ID sends back a nonce.</li> <li>The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave.</li> <li>The FIDO2 security key signs the nonce with the private key.</li> <li>The primary refresh token (PRT) token request with signed nonce is sent to Microsoft Entra ID.</li> <li>Microsoft Entra ID verifies the signed nonce using the FIDO2 public key.</li> <li>Microsoft Entra ID returns PRT to enable access to on-premises resources.</li> </ol> <p>For a list FIDO2 security key providers, see <a href="concept-fido2-hardware-vendor" data-linktype="relative-path">Become a Microsoft-compatible FIDO2 security key vendor</a>.</p> <p>To get started with FIDO2 security keys, complete the following how-to:</p> <div class="nextstepaction"> <p><a href="howto-authentication-passwordless-security-key" data-linktype="relative-path">Enable passwordless sign using FIDO2 security keys</a></p> </div> <h2 id="certificate-based-authentication">Certificate-based authentication</h2> <p>Microsoft Entra certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. CBA enables customers to adopt phishing-resistant authentication and sign in with an X.509 certificate against their Public Key Infrastructure (PKI).</p> <p><img src="media/concept-certificate-based-authentication/cloud-native-cert.png" alt="Diagram of Microsoft Entra certificate-based authentication." data-linktype="relative-path"> </p> <h3 id="key-benefits-of-using-microsoft-entra-cba">Key benefits of using Microsoft Entra CBA</h3> <table> <thead> <tr> <th>Benefits</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Great user experience</td> <td>- Users who need certificate-based authentication can now directly authenticate against Microsoft Entra ID and not have to invest in federation.<br>- Portal UI enables users to easily configure how to map certificate fields to a user object attribute to look up the user in the tenant (<a href="concept-certificate-based-authentication-technical-deep-dive#understanding-the-username-binding-policy" data-linktype="relative-path">certificate username bindings</a>)<br>- Portal UI to <a href="concept-certificate-based-authentication-technical-deep-dive#understanding-the-authentication-binding-policy" data-linktype="relative-path">configure authentication policies</a> to help determine which certificates are single-factor versus multifactor.</td> </tr> <tr> <td>Easy to deploy and administer</td> <td>- Microsoft Entra CBA is a free feature, and you don't need any paid editions of Microsoft Entra ID to use it. <br>- No need for complex on-premises deployments or network configuration.<br>- Directly authenticate against Microsoft Entra ID.</td> </tr> <tr> <td>Secure</td> <td>- On-premises passwords don't need to be stored in the cloud in any form.<br>- Protects your user accounts by working seamlessly with Microsoft Entra Conditional Access policies, including Phishing-Resistant <a href="concept-mfa-howitworks" data-linktype="relative-path">multifactor authentication</a> (MFA requires <a href="concept-mfa-licensing" data-linktype="relative-path">licensed edition</a>) and blocking legacy authentication.<br>- Strong authentication support where users can define authentication policies through the certificate fields, such as issuer or policy OID (object identifiers), to determine which certificates qualify as single-factor versus multifactor.<br>- The feature works seamlessly with <a href="../conditional-access/overview" data-linktype="relative-path">Conditional Access features</a> and authentication strength capability to enforce MFA to help secure your users.</td> </tr> </tbody> </table> <h3 id="supported-scenarios">Supported scenarios</h3> <p>The following scenarios are supported:</p> <ul> <li>User sign-ins to web browser-based applications on all platforms.</li> <li>User sign-ins to Office mobile apps on iOS/Android platforms and Office native apps in Windows, including Outlook, OneDrive, and so on.</li> <li>User sign-ins on mobile native browsers.</li> <li>Support for granular authentication rules for multifactor authentication by using the certificate issuer <strong>Subject</strong> and <strong>policy OIDs</strong>.</li> <li>Configuring certificate-to-user account bindings by using any of the certificate fields: <ul> <li>Subject Alternate Name (SAN) PrincipalName and SAN RFC822Nare</li> <li>Subject Key Identifier (SKI) and SHA1PublicKey</li> </ul> </li> <li>Configuring certificate-to-user account bindings by using any of the user object attributes: <ul> <li>User Principal Name</li> <li>onPremisesUserPrincipalName</li> <li>CertificateUserIds</li> </ul> </li> </ul> <h2 id="supported-scenarios-1">Supported scenarios</h2> <p>The following considerations apply:</p> <ul> <li>Administrators can enable passwordless authentication methods for their tenant.</li> <li>Administrators can target all users or select users/Security groups within their tenant for each method.</li> <li>Users can register and manage these passwordless authentication methods in their account portal.</li> <li>Users can sign in with these passwordless authentication methods: <ul> <li>Authenticator app: Works in scenarios where Microsoft Entra authentication is used, including across all browsers, during Windows 10 setup, and with integrated mobile apps on any operating system.</li> <li>Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge).</li> </ul> </li> <li>Users can use passwordless credentials to access resources in tenants where they're a guest, but they could still be required to perform MFA in that resource tenant. For more information, see <a href="../../external-id/current-limitations#possible-double-multi-factor-authentication" data-linktype="relative-path">Possible double multifactor authentication</a>.</li> <li>Users can't register passwordless credentials within a tenant where they're a guest, the same way that they don't have a password managed in that tenant.</li> </ul> <h2 id="unsupported-scenarios">Unsupported scenarios</h2> <p>We recommend no more than 20 sets of keys for each passwordless method for any user account. As more keys are added, the user object size increases, and you could notice degradation for some operations. In that case, you should remove unnecessary keys. For more information and the PowerShell cmdlets to query and remove keys, see <a href="https://support.microsoft.com/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb" data-linktype="external">Using WHfBTools PowerShell module for cleaning up orphaned Windows Hello for Business Keys</a>.Use the <strong>/UserPrincipalName</strong> optional parameter to query only keys for a specific user. The permissions required are to run as an administrator or the specified user.</p> <p>When you use PowerShell to create a CSV file with all of the existing keys, carefully identify the keys that you need to keep, and remove those rows from the CSV. Then use the modified CSV with PowerShell to delete the remaining keys to bring the account key count under the limit.</p> <p>It's safe to delete any key reported as "Orphaned"="True" in the CSV. An orphaned key is one for a device that isn't longer registered in Microsoft Entra ID. If removing all Orphans still doesn't bring the User account below the limit, it's necessary to look at the <em>DeviceId</em> and <em>CreationTime</em> columns to identify which keys to target for deletion. Be careful to remove any row in the CSV for keys you want to keep. Keys for any DeviceID corresponding to devices the user actively uses should be removed from the CSV before the deletion step.</p> <h2 id="choose-a-passwordless-method">Choose a passwordless method</h2> <p>The choice between these three passwordless options depends on your company's security, platform, and app requirements.</p> <p>Here are some factors for you to consider when choosing Microsoft passwordless technology:</p> <table> <thead> <tr> <th style="text-align: left;"></th> <th style="text-align: left;"><strong>Windows Hello for Business</strong></th> <th style="text-align: left;"><strong>Passwordless sign-in with the Authenticator app</strong></th> <th style="text-align: left;"><strong>FIDO2 security keys</strong></th> </tr> </thead> <tbody> <tr> <td style="text-align: left;"><strong>Pre-requisite</strong></td> <td style="text-align: left;">Windows 10, version 1809 or later<br>Microsoft Entra ID</td> <td style="text-align: left;">Authenticator app<br>Phone (iOS and Android devices)</td> <td style="text-align: left;">Windows 10, version 1903 or later<br>Microsoft Entra ID</td> </tr> <tr> <td style="text-align: left;"><strong>Mode</strong></td> <td style="text-align: left;">Platform</td> <td style="text-align: left;">Software</td> <td style="text-align: left;">Hardware</td> </tr> <tr> <td style="text-align: left;"><strong>Systems and devices</strong></td> <td style="text-align: left;">PC with a built-in Trusted Platform Module (TPM)<br>PIN and biometrics recognition</td> <td style="text-align: left;">PIN and biometrics recognition on phone</td> <td style="text-align: left;">FIDO2 security devices that are Microsoft compatible</td> </tr> <tr> <td style="text-align: left;"><strong>User experience</strong></td> <td style="text-align: left;">Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.<br>Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.</td> <td style="text-align: left;">Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.<br>Users sign in to work or personal account from their PC or mobile phone.</td> <td style="text-align: left;">Sign in using FIDO2 security device (biometrics, PIN, and NFC)<br>User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.</td> </tr> <tr> <td style="text-align: left;"><strong>Enabled scenarios</strong></td> <td style="text-align: left;">Password-less experience with Windows device.<br>Applicable for dedicated work PC with ability for single sign-on to device and applications.</td> <td style="text-align: left;">Password-less anywhere solution using mobile phone.<br>Applicable for accessing work or personal applications on the web from any device.</td> <td style="text-align: left;">Password-less experience for workers using biometrics, PIN, and NFC.<br>Applicable for shared PCs and where a mobile phone isn't a viable option (such as for help desk personnel, public kiosk, or hospital team)</td> </tr> </tbody> </table> <p>Use the following table to choose which method supports your requirements and users.</p> <table> <thead> <tr> <th style="text-align: left;">Persona</th> <th style="text-align: left;">Scenario</th> <th style="text-align: left;">Environment</th> <th style="text-align: left;">Passwordless technology</th> </tr> </thead> <tbody> <tr> <td style="text-align: left;"><strong>Admin</strong></td> <td style="text-align: left;">Secure access to a device for management tasks</td> <td style="text-align: left;">Assigned Windows 10 device</td> <td style="text-align: left;">Windows Hello for Business and/or FIDO2 security key</td> </tr> <tr> <td style="text-align: left;"><strong>Admin</strong></td> <td style="text-align: left;">Management tasks on non-Windows devices</td> <td style="text-align: left;">Mobile or non Windows device</td> <td style="text-align: left;">Passwordless sign-in with the Authenticator app</td> </tr> <tr> <td style="text-align: left;"><strong>Information worker</strong></td> <td style="text-align: left;">Productivity work</td> <td style="text-align: left;">Assigned Windows 10 device</td> <td style="text-align: left;">Windows Hello for Business and/or FIDO2 security key</td> </tr> <tr> <td style="text-align: left;"><strong>Information worker</strong></td> <td style="text-align: left;">Productivity work</td> <td style="text-align: left;">Mobile or non Windows device</td> <td style="text-align: left;">Passwordless sign-in with the Authenticator app</td> </tr> <tr> <td style="text-align: left;"><strong>Frontline worker</strong></td> <td style="text-align: left;">Kiosks in a factory, plant, retail, or data entry</td> <td style="text-align: left;">Shared Windows 10 devices</td> <td style="text-align: left;">FIDO2 Security keys</td> </tr> </tbody> </table> <h2 id="next-steps">Next steps</h2> <p>To get started with passwordless in Microsoft Entra ID, complete one of the following how-tos:</p> <ul> <li><a href="howto-authentication-passwordless-security-key" data-linktype="relative-path">Enable FIDO2 security key passwordless sign-in</a></li> <li><a href="howto-authentication-passwordless-phone" data-linktype="relative-path">Enable phone-based passwordless sign-in with the Authenticator app</a></li> </ul> <h3 id="external-links">External Links</h3> <ul> <li><a href="https://fidoalliance.org/" data-linktype="external">FIDO Alliance</a></li> <li><a href="https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html" data-linktype="external">FIDO2 Client to Authenticator Protocol (CTAP) specification</a></li> </ul> </div><div id="ms--inline-notifications" class="margin-block-xs" data-bi-name="inline-notification"></div><div id="assertive-live-region" role="alert" aria-live="assertive" class="visually-hidden" aria-relevant="additions" aria-atomic="true"></div> <div id="polite-live-region" role="status" aria-live="polite" class="visually-hidden" aria-relevant="additions" aria-atomic="true"></div>  </main> <section id="site-user-feedback-footer" class="font-size-sm margin-top-md" data-test-id="site-user-feedback-footer" data-bi-name="site-feedback-section"> <hr class="hr" /> <h2 id="feedback" class="title is-3">Feedback</h2> <div class="display-flex flex-wrap-wrap align-items-center"> <p class="font-weight-semibold margin-xxs margin-left-none">Was this page helpful?</p> <div class="buttons"> <button class="thumb-rating-button like button button-primary button-sm" data-test-id="footer-rating-yes" data-binary-rating-response="rating-yes" type="button" title="This article is helpful" data-bi-name="button-rating-yes" aria-pressed="false" > <span class="icon" aria-hidden="true"> <span class="docon docon-like"></span> </span> <span>Yes</span> </button> <button class="thumb-rating-button dislike button button-primary button-sm" data-test-id="footer-rating-no" data-binary-rating-response="rating-no" type="button" title="This article is not helpful" data-bi-name="button-rating-no" aria-pressed="false" > <span class="icon" aria-hidden="true"> <span class="docon docon-dislike"></span> </span> <span>No</span> </button> </div> </div><div class="display-flex flex-wrap-wrap margin-top-xxs"><div> <a data-bi-name="provide-feedback-cta" class="has-external-link-indicator" href="https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789" data-bi-name="product-feedback" > <span>Provide product feedback</span> </a></div></div> </section> <aside id="ms--additional-resources-mobile" aria-label="Additional resources" class="display-none-desktop display-none-print" > <hr class="hr" hidden /> <h2 id="ms--additional-resources-mobile-heading" class="title is-3" hidden>Additional resources</h2> <section id="right-rail-recommendations-mobile" data-bi-name="recommendations" hidden></section> <section id="right-rail-training-mobile" data-bi-name="learning-resources-card" hidden></section> <section id="right-rail-events-mobile" data-bi-name="events-card" hidden></section> <section id="right-rail-qna-mobile" data-bi-name="qna-link-card" hidden></section> </aside><div class="border-top is-visible-interactive has-default-focus margin-top-sm "><footer id="footer-interactive" data-bi-name="footer" class="footer-layout"><div class="display-flex gap-xs flex-wrap-wrap is-full-height padding-right-lg-desktop"><a data-mscc-ic="false" class="locale-selector-link button button-sm button-clear flex-shrink-0" href="#" data-bi-name="select-locale"> <span class="icon" aria-hidden="true"> <span class="docon docon-world"></span> </span> <span class="local-selector-link-text"></span></a><div class="ccpa-privacy-link" data-ccpa-privacy-link hidden> <a href="https://aka.ms/yourcaliforniaprivacychoices" class="button button-sm button-clear flex-shrink-0" data-mscc-ic="false" data-bi-name="your-privacy-choices" > <svg role="img" aria-label="California Consumer Privacy Act (CCPA) Opt-Out Icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" xml:space="preserve" height="16" width="43" focusable="false" > <title>California Consumer Privacy Act (CCPA) Opt-Out Icon</title> <path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#fff"></path> <path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#06f"></path> <path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" style="fill:#fff"></path> <path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" style="fill:#06f"></path> </svg> <span>Your Privacy Choices</span> </a> </div> <div class="flex-shrink-0"> <div class="dropdown has-caret-up"> <button class="dropdown-trigger button button-clear button-sm has-inner-focus theme-dropdown-trigger" aria-controls="theme-menu-interactive" aria-expanded="false" title="Theme" data-bi-name="theme"> <span class="icon"> <span class="docon docon-sun" aria-hidden="true"></span> </span> <span>Theme</span> <span class="icon expanded-indicator" aria-hidden="true"> <span class="docon docon-chevron-down-light"></span> </span> </button> <div class="dropdown-menu" id="theme-menu-interactive" role="menu"> <ul class="theme-selector padding-xxs" role="none"> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="light"> <span class="theme-light margin-right-xxs"> <span class="theme-selector-icon border display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Light</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="dark"> <span class="theme-dark margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Dark</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="high-contrast"> <span class="theme-high-contrast margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>High contrast</span> </button> </li> </ul> </div> </div> </div> </div> <ul class="links" data-bi-name="footerlinks"> <li class="manage-cookies-holder" hidden></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/previous-versions/" data-bi-name="archivelink">Previous Versions</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog" data-bi-name="bloglink">Blog</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/contribute/" data-bi-name="contributorGuide">Contribute</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-bi-name="privacy">Privacy</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/legal/termsofuse" data-bi-name="termsofuse">Terms of Use</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://www.microsoft.com/legal/intellectualproperty/Trademarks/" data-bi-name="trademarks">Trademarks</a></li><li>© Microsoft 2024</li> </ul> </footer></div></div><div id="ms--additional-resources" class="right-container column is-4-desktop display-none display-block-desktop" data-bi-name="pageactions" role="complementary" aria-label="Additional resources" > <div id="affixed-right-container" class="margin-top-sm-tablet" data-bi-name="right-column"> <h2 id="ms--additional-resources-heading" class="title is-6 margin-top-md" hidden>Additional resources</h2> <section id="right-rail-events" data-bi-name="events-card" hidden></section> <section id="right-rail-training" data-bi-name="learning-resources-card" hidden></section> <section id="right-rail-recommendations" data-bi-name="recommendations" hidden></section> <nav id="side-doc-outline" class="doc-outline" data-bi-name="intopic toc" aria-label="In this article"> <h3>In this article</h3> </nav> <section id="right-rail-qna" class="margin-top-xxs" data-bi-name="qna-link-card" hidden></section> </div> </div></div>  </section>   <aside id="interactive-container" class="interactive-container is-visible-interactive column has-body-background-dark "> </aside>  </div> </div>  <section class="border-top has-default-focus is-hidden-interactive margin-top-sm "><footer id="footer" data-bi-name="footer" class="footer-layout uhf-container has-padding" role="contentinfo"><div class="display-flex gap-xs flex-wrap-wrap is-full-height padding-right-lg-desktop"><a data-mscc-ic="false" class="locale-selector-link button button-sm button-clear flex-shrink-0" href="#" data-bi-name="select-locale"> <span class="icon" aria-hidden="true"> <span class="docon docon-world"></span> </span> <span class="local-selector-link-text"></span></a><div class="ccpa-privacy-link" data-ccpa-privacy-link hidden> <a href="https://aka.ms/yourcaliforniaprivacychoices" class="button button-sm button-clear flex-shrink-0" data-mscc-ic="false" data-bi-name="your-privacy-choices" > <svg role="img" aria-label="California Consumer Privacy Act (CCPA) Opt-Out Icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" xml:space="preserve" height="16" width="43" focusable="false" > <title>California Consumer Privacy Act (CCPA) Opt-Out Icon</title> <path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#fff"></path> <path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#06f"></path> <path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" style="fill:#fff"></path> <path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" style="fill:#06f"></path> </svg> <span>Your Privacy Choices</span> </a> </div> <div class="flex-shrink-0"> <div class="dropdown has-caret-up"> <button class="dropdown-trigger button button-clear button-sm has-inner-focus theme-dropdown-trigger" aria-controls="theme-menu" aria-expanded="false" title="Theme" data-bi-name="theme"> <span class="icon"> <span class="docon docon-sun" aria-hidden="true"></span> </span> <span>Theme</span> <span class="icon expanded-indicator" aria-hidden="true"> <span class="docon docon-chevron-down-light"></span> </span> </button> <div class="dropdown-menu" id="theme-menu" role="menu"> <ul class="theme-selector padding-xxs" role="none"> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="light"> <span class="theme-light margin-right-xxs"> <span class="theme-selector-icon border display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Light</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="dark"> <span class="theme-dark margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Dark</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="high-contrast"> <span class="theme-high-contrast margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>High contrast</span> </button> </li> </ul> </div> </div> </div> </div> <ul class="links" data-bi-name="footerlinks"> <li class="manage-cookies-holder" hidden></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/previous-versions/" data-bi-name="archivelink">Previous Versions</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog" data-bi-name="bloglink">Blog</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/contribute/" data-bi-name="contributorGuide">Contribute</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-bi-name="privacy">Privacy</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/legal/termsofuse" data-bi-name="termsofuse">Terms of Use</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://www.microsoft.com/legal/intellectualproperty/Trademarks/" data-bi-name="trademarks">Trademarks</a></li><li>© Microsoft 2024</li> </ul> </footer> </section> <div id="action-panel" role="region" aria-label="Action Panel" class="action-panel has-default-focus" tabindex="-1"></div> </body> </html>