From April 2026, Microsoft Entra ID will automatically enable passkey profiles for all tenants. A major step towards passwordless sign-in. What does this mean for your organisation and what should you prepare right now?
Microsoft is making one of the most significant changes to enterprise authentication in years. From April 2026, Microsoft Entra ID will automatically enable passkey profiles for all tenants that have not already done so. Organisations that do not act proactively will have settings applied automatically.
A passkey replaces the password entirely. When a passkey is created, two cryptographic keys are generated: a public key stored with Microsoft, and a private key that never leaves the user's device. At sign-in, the device proves it holds the corresponding private key, without the key itself ever being transmitted.
For the user, the experience is simple: sign in with facial recognition, fingerprint or a PIN on their trusted device. No password to remember, no MFA code to copy. And critically, passkeys cannot be intercepted through phishing, because the private key never leaves the device.
Microsoft distinguishes between two types of passkeys. Synced passkeys are stored in the passkey provider's cloud — such as Apple's iCloud Keychain or Google Password Manager — and are automatically available across all of the user's devices. This is ideal for employees who work across multiple devices.
Device-bound passkeys remain on a single specific device and cannot be synchronised. This type offers maximum security and is the default for tenants already enforcing attestation, such as organisations in financial services or government.
One of the most practical new features is support for group-based passkey profiles. Admins can now set passkey policy per user group rather than at the tenant level. This enables phased rollout strategies: start with the IT department, extend to management, then roll out to all employees.
First: opt in early. By proactively enabling passkey profiles now, you retain control over the configuration and avoid surprises in April. In the Entra admin centre, go to Security > Authentication methods > Passkey (FIDO2) and enable the profile.
Second: review existing FIDO2 settings. Existing FIDO2 configurations will be automatically migrated into a default passkey profile. Tenants enforcing attestation will default to device-bound passkeys. Verify that this aligns with your security requirements.
Third: communicate with employees. The transition to passkeys is straightforward for end users but does require a one-time registration. Plan a registration campaign with clear instructions for iOS, Android and Windows Hello.
Passkeys are phishing-resistant and are recognised by Microsoft Entra as a strong authentication method. This has a direct effect on Conditional Access policies: signing in with a passkey automatically satisfies requirements for phishing-resistant MFA, eliminating additional prompts. This significantly improves the user experience while maintaining a strong security posture.
Need help configuring passkeys or rolling out a passwordless policy for your organisation? Contact Zarioh Digital Solutions.
