In March 2026, Microsoft automatically enabled passkeys for millions of Microsoft Entra tenants worldwide. What two years ago appeared to be a niche technology is now the new standard for authentication. Passkeys are faster, more secure and phishing-resistant. But what does this transition mean in practice for your organisation and your employees?
March 2026 is being described by security experts as the inflection point long predicted: the moment when passwordless authentication shifts from an emerging technology to the new standard. Microsoft has automatically enabled passkeys for millions of Microsoft Entra tenants, meaning virtually every organisation using Microsoft 365 is now technically capable of logging in without a password.
The numbers support the shift. Research shows that 87 percent of surveyed organisations are already deploying or actively rolling out passkeys. And with good reason: passkeys are fourteen times faster than the combination of a password with traditional MFA, and users successfully log in 95 percent of the time, compared to 30 percent with legacy authentication methods.
A passkey is a cryptographic key stored on your device or in an authenticator app. When logging in, your identity is confirmed via biometrics, a PIN or your presence on the device, without a password ever being sent over the network. That makes passkeys inherently phishing-resistant: there is nothing to steal, no password to intercept and no MFA code to obtain through social engineering.
Microsoft Entra supports two variants. Device-bound passkeys are cryptographically anchored to the specific device and cannot be exported or synchronised. They offer the highest level of security. Synced passkeys can be shared across multiple devices via a platform like iCloud Keychain or a password manager, which is more practical for users working with multiple devices.
For end users, the change is in most cases positive. Logging in is faster — on average three seconds instead of 69 seconds with password plus MFA code — and nothing needs to be remembered. On a Windows device with Windows Hello, logging into Microsoft 365 is a matter of facial recognition or fingerprint. On a mobile device, the same.
Administrators can from April 2026 force passkey registration in the Microsoft Entra admin centre instead of the Authenticator app. This gives IT departments the ability to proactively migrate all accounts to phishing-resistant authentication without waiting for users to initiate this themselves.
It is also important to update your Conditional Access policies. Organisations wanting to enforce phishing-resistant MFA as a condition for access to sensitive applications can set specific Conditional Access rules that only accept passkeys or FIDO2 keys and refuse password-based authentication, even when combined with SMS codes.
In line with the rise of passkeys, the phase-out of SMS-based MFA is also accelerating. Microsoft has indicated that SMS authentication will no longer be considered compliant for organisations with higher security requirements. SMS codes are vulnerable to SIM-swapping and real-time phishing attacks. For organisations still using SMS MFA, the switch to passkeys or the Microsoft Authenticator app is an urgent priority.
A practical first step is mapping which authentication methods your employees currently use. You can then draw up a migration plan: who still uses a password without MFA, who uses SMS codes and who has already moved to the Authenticator app? Based on that, prioritise the groups that need to migrate to passkeys first.
Zarioh helps organisations with the configuration of Microsoft Entra, setting up Conditional Access policies and guiding employees through the transition to passwordless working. Want to know how your current authentication setup scores and what the next steps are? Get in touch.
