Symptom: User can no longer choose Microsoft Authenticator (app notification / passwordless) on the Windows 'Choose a way to sign in' screen, even though phone sign-in is enabled in the Authenticator app.

 

Cause: In Entra ID > Authentication methods > Policies > Microsoft Authenticator, the Authentication mode for the targeted group is set to Push. Push only allows MFA after a password; it does not expose passwordless as a sign-in option.

 

Fix:

1. Open Entra admin center > Protection > Authentication methods > Policies.

2. Click Microsoft Authenticator.

3. On the Enable and Target tab, set Authentication mode to Any (or Passwordless).

4. Click Save.

5. Sign out and back in on the Windows machine. The Authenticator passwordless tile should reappear.