TL;DR: Microsoft Entra ID is introducing Passkey Profiles to General Availability, allowing for group-based configurations and a new passkeyType property. Organizations that do not opt in will be automatically migrated starting in April 2026. This shift simplifies the use of synced passkeys and updates registration campaigns to prioritize passkeys over traditional MFA. This should be rolling out in March according to Microsoft.
Evolution of Passkey Management
The management of FIDO2 and passkeys is moving from a single, tenant-wide setting to a more flexible, group-based model known as Passkey Profiles. For Identity Architects, this means you can now tailor security postures based on user risk. You might require a physical security key (device-bound) for your global admins while allowing the convenience of synced passkeys for the general workforce.
Understanding the passkeyType Property
At the heart of this update is the passkeyType property. This allows administrators to define exactly which types of credentials are valid within a specific profile:
- Device-bound passkeys: The private key is tied to a single physical device (e.g., a YubiKey or a specific laptop with Windows Hello).
- Synced passkeys: The private key can move between devices via cloud providers like Apple, Google, or Bitwarden.
The Automatic Enablement Timeline
Microsoft has laid out a clear path for tenants. If you do not manually opt in to the new experience, the system will handle it for you:
- Early March 2026: General availability begins.
- Early April 2026: Automatic enablement starts for tenants that haven’t opted in.
- Late May 2026: Expected completion of the global migration.
During this migration, your existing Passkey (FIDO2) settings will be moved into a Default passkey profile. If you currently enforce attestation, the system will default your type to device-bound only. If attestation is disabled, both device-bound and synced types will be allowed.
Impact on Registration Campaigns
If your organization uses Microsoft-managed registration campaigns, be prepared for a shift in user prompts. For tenants where synced passkeys are allowed, the campaign will now target passkeys as the preferred method instead of the Microsoft Authenticator app.
Additionally, the ‘ snooze ‘ settings will change to allow unlimited snoozes with a one-day reminder cadence, ensuring users are regularly nudged toward the more secure, phishing-resistant method without being permanently locked out of the setup process.
Strategic Recommendations for IT Teams
To stay ahead of these changes, we recommend the following steps:
- Audit Current FIDO2 Policies: Determine if your current attestation requirements align with how you want passkeyType to be auto-populated.
- Review Registration Campaigns: If you are not ready for a passkey-first nudge, switch your campaign from ‘ Microsoft-managed ‘ to ‘ Enabled ‘ with specific targets.
- Update Documentation: Ensure your help desk understands the difference between a user’s phone-based passkey and a hardware security key.
FAQ
Do I need a special license for Passkey Profiles? While the registration campaign itself has no specific license requirements, advanced features like Conditional Access (often used to enforce passkey usage) require Microsoft Entra ID P1 or P2.
What happens if I don’t do anything by April 2026? Your tenant will be automatically migrated to the new schema. Your existing security posture will be preserved, but it will be moved into the new Default passkey profile structure.
Can I still block synced passkeys? Yes. By setting Enforce Attestation to ‘ Yes ‘ or manually configuring your passkey profile to only allow ‘ Device-bound ‘, you can prevent the use of synced passkeys.
Does this change affect the Microsoft Authenticator app? Yes, it enhances it. Users can now register passkeys within the Authenticator app on iOS and Android, which can then be used as a phishing-resistant credential.