From April 2026, Microsoft will automatically enable passkey profiles for Entra ID tenants that have not yet done so manually. Organisations that do not review their FIDO2 policy in time may be caught off guard. What exactly is changing and what do you need to do now?
Microsoft has announced that passkey profiles in Microsoft Entra ID will be automatically enabled from early April 2026 for all tenants that have not yet done so themselves. The full automatic migration runs through to the end of May 2026. This may sound like a background change, but for organisations with specific authentication policies it can have direct consequences for end users.
A passkey is a passwordless authentication method based on the FIDO2/WebAuthn standard. Instead of a password, a passkey uses a cryptographic key pair: the private key stays on the device or in a password manager, while the public key is stored with the identity provider. Authentication is performed via biometrics (fingerprint, face recognition) or a device PIN.
Entra ID supports two types of passkeys. Device-bound passkeys are tied to a single specific device, similar to a security key like a YubiKey. Synced passkeys are synchronised via a password manager such as Apple Keychain, Google Password Manager or 1Password, making them available across multiple devices.
Microsoft is introducing a new passkeyType property that lets administrators configure per user group which type of passkey is permitted: device-bound only, synced only, or both. Existing FIDO2 authentication configurations will be automatically migrated to a default passkey profile based on the current settings.
The migration works as follows. If 'enforce attestation' is currently enabled in your FIDO2 policy, users will be restricted to device-bound passkeys. If attestation is not enforced, users will be allowed to register both device-bound and synced passkeys. Organisations wishing to block synced passkeys for compliance reasons must explicitly update their policy before April.
Users who have not yet registered a passkey will see registration prompts more frequently. Microsoft has simplified the registration campaign: the old 'limited snoozes' and 'snooze days' settings have been replaced with unlimited snoozing with a daily reminder frequency. End users can keep deferring registration, but the prompts will continue to appear until they set up a passkey.
For organisations in regulated sectors (finance, healthcare, government), it is important to assess whether synced passkeys align with their security policy and compliance requirements. Synced passkeys are more user-friendly, but the fact that the private key is synchronised via an external service (Apple, Google) may conflict with strict data sovereignty requirements.
Log in to the Microsoft Entra admin centre and navigate to Security, Authentication methods, Policies, FIDO2 security keys. Check the attestation setting there and determine whether you want to allow device-bound passkeys only, synced passkeys only, or both. Then configure a passkey profile aligned with your security policy before Microsoft's automatic migration does it for you.
Zarioh Digital Solutions helps organisations assess and configure their Entra ID authentication policy, including the transition to passwordless authentication. Get in touch for a quick policy review.
