💡 Our Technical Review in summary
Summary
Microsoft Entra ID is transitioning to a new management schema called **passkey profiles**, reaching General Availability (GA) in March 2026. This update introduces more granular control over passkey deployment, including group-based configurations and a new `passkeyType` property. This property allows administrators to distinguish between **device-bound passkeys** (physical security keys like YubiKeys) and **synced passkeys** (stored in cloud providers like Apple iCloud Keychain or Google Password Manager). If organizations do not manually opt-in to the new experience, Microsoft will automatically migrate existing FIDO2 configurations to this new schema starting in April 2026.
Impact
- Automatic Migration: If no action is taken by the enforcement date, existing Passkey (FIDO2) authentication method configurations will be moved into a new “Default passkey profile.”
- Passkey Type Logic: The new
passkeyTypeproperty will be auto-populated based on your current settings: If “Enforce Attestation” is currently enabled, the system will allow only device-bound passkeys. If disabled, both device-bound and synced passkeys will be allowed. - Registration Campaigns: For tenants using “Microsoft-managed” registration campaigns where synced passkeys are enabled, the system will stop prompting for Microsoft Authenticator and start prompting users to register passkeys instead.
- User Experience: Registration campaign snooze settings will change for Microsoft-managed tenants to allow unlimited snoozes with a daily reminder cadence.
- Administrative Flexibility: Once migrated, admins can target specific passkey configurations to specific groups of users rather than applying a single policy tenant-wide.
Action Required
- Review Security Policy: Determine your organization’s stance on synced passkeys. If your security requirements mandate hardware-backed keys, ensure your configuration is set to “device-bound.”
- Manual Opt-In: To maintain control over the migration, administrators should manually opt-in to passkey profiles before the April 2026 deadline (June 2026 for GCC/DoD tenants) and configure the Default passkey profile manually.
- Audit Registration Campaigns: Review “Microsoft-managed” registration campaigns. If you want to continue targeting Microsoft Authenticator specifically, you must manually change the campaign state from “Microsoft-managed” to “Enabled.”
- Update Support Resources: Update internal help desk runbooks and end-user documentation to explain the difference between synced passkeys and physical security keys.
- Monitor Rollout Dates:
- Early March 2026: GA Rollout begins.
- Early April 2026: Automatic enablement for Commercial tenants.
- Early June 2026: Automatic enablement for Government (GCC/DoD) tenants.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
[Introduction]
Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property.
The passkeyType property enables admins to configure:
- Device-bound passkeys
- Synced passkeys
- Both
If a tenant does not opt in to passkey profiles during the initial rollout window, the new schema will be automatically enabled at the date range specified below. When this occurs:
- Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile.
- The passkeyType value will be set based on the tenant’s current attestation settings.
- For tenants that have synced passkeys enabled, Microsoft-managed registration campaigns will update to target passkeys.
[When this will happen]
- General Availability (Worldwide): Rollout begins in early March 2026 and is expected to complete by late March 2026.
- Automatic enablement for tenants that have not yet opted in (Worldwide): Rollout begins in early April 2026 and is expected to complete by late May 2026.
- General Availability (GCC, GCC High, and DoD): Rollout begins in early April 2026 and is expected to complete by late April 2026.
- Automatic enablement for tenants that have not yet opted in (GCC, GCC High, and DoD): Rollout begins in early June 2026 and is expected to complete by late June 2026.
[How this affects your organization]
Who is affected: All Microsoft Entra ID tenants
What will happen:
If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles.
- Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile
- New passkeyType property will be auto-populated
- If enforce attestation is enabled, then device-bound allowed
- If enforce attestation is disabled, then device-bound and synced allowed
- Any existing key restrictions will remain intact
- Any existing user targets will be assigned to the Default passkey profile
[Registration Campaign behavior (Microsoft-managed campaigns only)]
- For tenants where synced passkeys are enabled, if your registration campaign is set to Microsoft-managed:
- The targeted authentication method will be updated from Microsoft Authenticator to passkeys.
- The default user targeting will be updated from voice call or text message users to all multifactor authentication (MFA) capable users.
- The settings Limited number of snoozes and Days allowed to snooze will no longer be configurable. These will be set to allow unlimited snoozes with a one-day reminder cadence.
[What you can do to prepare]
If you want a configuration different from the migration defaults, review the timeline above and opt in to passkey profiles before your tenant’s automatic enablement window begins. Then configure the Default passkey profile’s passkeyType to your preferred values.
We also recommend:
- Review your registration campaign configuration, especially if its set to Microsoft-managed. If you want synced passkeys enabled in your tenant but do not want registration campaign to target passkeys, you can:
- Switch the registration campaign state to Enabled and continue targeting Microsoft Authenticator, or
- Set the registration campaign state to Disabled.
- Update runbooks and help content so your help desk and end users understand any changes in passkey availability or behavior.
Learn more:
- How to Enable Passkey (FIDO2) Profiles in Microsoft Entra ID (preview) – Microsoft Entra ID | Microsoft Learn
- How to Enable Synced Passkeys (FIDO2) in Microsoft Entra ID (preview) – Microsoft Entra ID | Microsoft Learn
- How to run a registration campaign to set up Microsoft Authenticator – Microsoft Entra ID | Microsoft Learn
- Synced passkeys FAQ – Microsoft Entra ID | Microsoft Learn
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.
