Passwords are the weakest link in your security. Microsoft is now actively pushing passkeys across all 365 environments and more and more SMEs are switching. What are passkeys, how do you roll them out in Entra ID, and what does it mean for your users?
Passwords have been around since the 1960s. They have been the weakest link in security all that time. People choose them too simply, reuse them, write them down, and hand them over to phishing. Even with multi-factor authentication via SMS or a verification code, a password remains an attack surface. In 2026, the alternative is finally mature: passkeys.
Over the past year and a half, Microsoft has rolled out passkeys broadly across Microsoft 365, Entra ID, and consumer products. What started as an experiment has grown into the recommended sign-in method for business users. For SMEs, this is the moment to make the switch.
A passkey is a cryptographic key created on your device and stored securely there, for example in your laptop's TPM chip or your phone's Secure Enclave. When signing in, your device uses that key to prove that you are the rightful owner, without any password ever being transmitted. The key is unlocked locally, via your fingerprint, face recognition, or PIN.
The difference with traditional MFA is fundamental. With a verification code, a phishing site can capture that code and relay it to the real service. With a passkey this is impossible because the key only works on the original domain. A fake website trying to steal your credentials simply gets nothing.
Three developments have made passkeys mainstream over the past year. First, adoption by the major consumer platforms. Apple, Google, and Microsoft now all support them natively and synchronise them securely between devices of the same user. Second, the growth of devices with a suitable biometric sensor and TPM chip, virtually every laptop and phone from the last four years qualifies. Third, the increasing pressure from regulators and cyber insurers actively requiring or rewarding phishing-resistant authentication.
Microsoft has also embedded passkeys in Conditional Access and Authenticator, giving IT administrators a uniform way to roll them out, manage them, and revoke them. That was not the case two years ago.
The roll-out process runs in four steps. First, in the Microsoft Entra portal, enable the passkey policy under Authentication methods. You can choose between device-bound passkeys, which stay on the device itself, and synchronised passkeys via a cloud keychain such as iCloud, Google Password Manager, or Microsoft Authenticator.
Second, users register their passkey. This happens once via Microsoft Authenticator or via the browser during a normal sign-in. The user is asked to confirm their biometric or PIN, and the passkey is created.
Third, configure Conditional Access to reward or enforce passkeys. A typical configuration is that sign-ins from unknown locations are only possible with a passkey, while on trusted devices other methods are also allowed. Gradually you can move to fully passwordless.
Fourth, communicate to users. The experience is fundamentally different from a password, and explanation helps to prevent resistance. In practice, users embrace passkeys quickly because signing in becomes faster and simpler.
A frequently asked question, and the concern is understandable. With device-bound passkeys, losing the device means the key is gone. The user has to re-register via a recovery flow. With synchronised passkeys via the cloud keychain, the key is available on all linked devices of the same user.
For business contexts, we recommend at least two registered passkeys per user, for example one on the work laptop and one on the phone. That makes the loss scenario manageable. For accounts with elevated risk, a physical FIDO2 key can serve as a third option.
Not all business applications support passkeys. For legacy systems, authentication via password and MFA remains necessary for now. The advice is to move as many frontline systems as possible, in any case all Microsoft 365 access, email, SharePoint, and Teams, to passkeys and manage the legacy exceptions separately with stricter MFA.
Three actions for the next four weeks. First, define the scope. Which user groups can move the fastest, for example the management team and the IT team. For whom does it have the greatest impact, for example employees who work a lot from unknown locations. Second, activate passkeys in monitoring mode and let a pilot group gain experience. Third, draft a communication and support plan for the broader roll-out in the summer.
Passwordless working is no longer a future vision; it is an operational reality you can implement this year. Want support with rolling out passkeys in your Microsoft 365 environment or drafting a passwordless policy? Contact Zarioh.
