Recommended order of operations for RSA Passwordless
Originally Published: 2025-10-01
Article Number
Applies To
- Authentication Manager 8.x
- MFA Agent 2.3.x for Windows
Tasks
Below is the recommended sequence of steps that RSA Professional Services advises and applies in the field. I recommend we incorporate this some flavor of this guidance into documentation so customers understand there is a best-practice order of operations for a successful deployment of RSA’s “true Passwordless” experience (beyond just Windows Password Integration - WPI):
- PKI Configuration
- Microsoft Entra: Create and configure PKI per RSA documentation.
- On-Prem/Active Directory: Configure Active Directory Certificate Authority per RSA documentation.
- Note: These paths differ significantly, so be mindful of the steps and details here.
- Test Configuration (Optional but Ideal)
- On a handful of dev/test machines, install the RSA MFA agent and configure agent and Passwordless settings.
- Follow the correct configuration paths for Entra (see Chapter 5: “Enabling RSA MFA Agent on Microsoft Entra ID Joined Machines”) vs. Active Directory (see “Passwordless Prerequisites”).
- Iterate until the agent functions as expected before moving forward.
- Finalize & Push Configurations
- Collect final global configuration settings from step 2.
- Configure a complex Reserve Password for the RSA agent as a break-glass measure, hash it via the RSA utility, and vault it with limited/auditable access. Rotate periodically if checked out.
- Commit into Entra/GPO policies depending on environment.
- Push via Intune (Entra) or GPO (Active Directory).
- Push policies 2–3 weeks ahead of RSA agent software rollout to account for user availability (vacation time, sick time, etc.) and endpoint coverage (must be online and able to receive respective updates).
- Reporting/Intune checks should confirm coverage where possible.
- Software Deployment
- Use Intune or a preferred software management solution to deploy RSA MFA binaries.
- Follow a phased rollout: start with technical staff, expand as confidence builds, then release broadly across the organization.
This approach has consistently proven to minimize disruptions, ensure proper sequencing, and proactively avoid “toes being stubbed.”
Related Articles
RSA Identity Governance & Lifecycle email approval macro ValidReplyAnswers orders URL in the wrong order Number of Views RSA Identity Governance & Lifecycle display order and value of report column changes automatically Number of Views How to restart RSA Web Threat Detection services in the proper order Number of Views How to split a large file into smaller chunks in order to provide to RSA Customer Support Number of Views Change Boot order for DLP Dell R610 and R620 appliance Boot from ISO Image Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
