Starting in March 2026, Microsoft will automatically enable passkey profiles within Entra ID and add support for synchronized passkeys.
Starting in March, Microsoft Entra ID will automatically use passkey profiles, shifting the focus from Microsoft Authenticator to passkeys.
New passkey architecture
With the update, Microsoft Entra ID is moving to a new schema with a separate passkeyType property. This will allow administrators to separately configure whether device-bound passkeys, synchronized passkeys, or both are allowed. Companies that do not explicitly opt for the new experience will be automatically migrated. Existing FIDO2 settings will be incorporated into a default profile, so that authentication continues to work without interruption.
More control for administrators
The new structure enables group-based configurations instead of a single global policy per tenant. Registration campaigns are also changing. In environments where synchronized passkeys are active, the focus shifts from Microsoft Authenticator to passkeys. Microsoft is also adjusting the settings of registration prompts, with unlimited deferrals and daily reminders.
Global availability will begin in early March 2026. Automatic activation for non-signed-up tenants will follow in April. Government environments will be postponed until June, writes Neowin.