3 Minutes
Microsoft is shifting how enterprises manage authentication by moving Microsoft Entra ID to a profile-based passkey system that will introduce synced passkeys and a new passkeyType setting. The update promises more granular control and a smoother path away from traditional passwords.
What’s changing: a new profile model and passkeyType
Beginning in March 2026, Microsoft Entra ID will transition to a new schema that natively supports passkey profiles. The upgrade adds a dedicated passkeyType property so admins can explicitly allow device-bound passkeys, synced passkeys, or both. Existing FIDO2 configurations won’t disappear — they’ll be migrated into a new default profile to maintain continuity.
Why this matters for admins
This profile-based approach replaces older, tenant-wide FIDO2 settings with more flexible, group-targetable controls. Organizations that currently enforce attestation will default to device-bound passkeys, while tenants without attestation enforcement will permit both device-bound and synced passkeys. Any current key restrictions or user-targeted policies will be preserved during migration, reducing the risk of disruption.
Registration campaigns and simplified prompts
Microsoft-managed registration campaigns will pivot from prioritizing Microsoft Authenticator to promoting passkeys in tenants where synced passkeys are enabled. The default audience for these campaigns expands to include all users capable of multi-factor authentication, increasing adoption reach across organizations.
Admin controls for registration prompts are also being simplified. Microsoft is removing the “limited number of snoozes” and “days allowed to snooze” options and moving to a single model that allows unlimited snoozes with a one-day reminder frequency — a change aimed at simplifying admin decisions while keeping nudges persistent.
Timing and rollout details
- General Availability (global rollout) begins early March 2026.
- Automatic enablement for tenants that don’t opt in is scheduled to start in April 2026.
- Government cloud environments (GCC, GCC High, DoD) follow a delayed schedule, with automatic migration planned for June 2026.
Administrators can find additional details in the Microsoft Admin Center under Message ID MC1221452.
Where this fits in the wider security trend
This move is part of a broader industry shift away from passwords toward passkeys — credentials that are phishing-resistant and cannot be reused across sites. Rather than a total replacement of existing authentication methods, passkeys are emerging as a stronger alternative within consumer and enterprise ecosystems. Microsoft’s profile-based architecture aims to make passkey deployment more scalable and adaptable to complex organizational needs.
Imagine rolling out modern, phishing-resistant authentication while keeping current policies and user targets intact — that’s the promise behind Entra ID’s migration to passkey profiles.
Source: neowin
Leave a Comment