Microsoft Entra Passkeys: Use Passkeys for Employees

Microsoft as one of the core members of the FIDO Alliance is ushering in a new era with its introduction of device-bound passkeys in Microsoft Entra, formerly called Azure Active Directory (AD). This move signifies the general industry shift (e.g. Coinbase, Uber, Adobe) towards passkeys as a more secure, user-friendly authentication method. With this move the friction that other, traditional MFA methods can cause in business scenarios could be overcome by making use of passkeys user-friendly login process.

Before we dive into Microsoft Entras specific passkey implementation and analysis, lets have a brief look at the different types of passkeys.

Device-bound passkeys, previously known as single-device passkeys, are FIDO2 discoverable credentials tied exclusively to a single authenticator / device. This authenticator / device could be integrated directly into devices running Windows 10 or Windows 11 (Windows Hello), macOS (Touch ID), iOS (Touch ID or Face ID), or Android (using the respective Android biometric solution of the device manufacturer). The essence of these passkeys is their binding to the authenticator / device, bolstering security by ensuring the private key of the passkeys key-pair never leaves this device. However, recovery becomes much more complex, as there is no backup and most often you need a second authenticator / device that holds another device-bound passkey to regain access if the first authenticator / device is lost, stolen or broken.

Update November 2025: Microsoft Entra ID now officially supports synced passkeys! This marks a great milestone in making passkey technology more accessible and convenient for enterprise users. Synced passkeys work across devices using centralized cloud services from platform providers like Apple's iCloud Keychain and Google Password Manager.

The support of synced passkeys represents a major step in broadening the accessibility and convenience of passkey technology to the general public. Non-technical people benefit greatly from synced passkeys due to simpler recovery and seamless cross-device experience. Users can register a passkey on one device and automatically have it available on all their other devices that use the same cloud service.

Within Microsoft Entra, IT administrators have the option to enforce the use of hardware security keys (e.g. YubiKeys). Hardware security keys also adhere to FIDO2 protocols but are not bound to one platform but can be used across platforms (thats why they are called roaming or cross- platform authenticators). Alternatively, users will default to storing their passkeys directly on their devices using the built-in platform authenticators (e.g. Windows Hello, Face ID, Touch ID). Microsoft Entra offers the flexibility to manage this through settings, including the ability to whitelist or blacklist specific types of passkeys based on the AAGUID, which indicates the authenticator / device a passkey was created on. This allows administrator to restrict the usage of passkeys to only company managed devices.

Starting January 2024, Microsoft Entra ID will preview device-bound passkeys as an authentication method, complementing existing support for hardware security keys (e.g YubiKeys). This phased approach reflects Microsoft's cautious yet progressive strategy in rolling out new security features to a large audience.

Microsoft Entra Passkey Configuration

In accordance with this new strategic direction, the admin portal of Microsoft Entra is undergoing a transformation, rebranding "FIDO2 security keys" as "Passkeys (FIDO2)". This rebranding signifies more than just a change in name; it represents a broader alignment towards establishing passkeys as the new standard for login authentication across various platforms, devices, operating systems, and web browsers.

This latest development from Microsoft not only extends support to iOS and iPadOS for Microsoft 365 but also encompasses a wide range of Microsoft's own first-party applications and any other applications safeguarded with Entra ID. Initially, Microsoft introduced passkey support for Safari in July 2023, which was a significant enhancement. However, the majority of customers were eagerly anticipating support for native apps. Now, with Microsoft's latest announcement, users can enjoy a comprehensive experience on their mobile devices, enabling them to sign in to both web applications and native apps using a YubiKey.

Its obvious that Microsoft prioritizes user experience in the transition to passkeys. This means that end-users will notice changes in both sign-up and login processes.

The "My Security Info" portal will introduce a new option labeled "Passkey (preview)" for registering device-bound passkeys on various devices. This option is set to replace the existing security key sign-up by the end of 2024.

The login interface will be updated to reflect this change. Today there are phrases like

• Sign in with Windows Hello or security key
• Sign in with a security key
• Signing in with Windows Hello or security key

These will evolve to phrases like

• Face, fingerprint, PIN, or security key
• Signing in with a passkey

In the enhanced sign-in experience, the term passkey will be used to encompass passkey credentials from security keys, computers, and mobile devices, promoting inclusivity.

Microsoft's careful rollout of passkey support in Entra has been a calculated, multi-phase strategy. Following the adoption of passkeys by its subsidiaries like Microsoft 365, LinkedIn, and GitHub, the Entra integration marked the next significant step. The strategy evolved from device-bound passkeys to the November 2025 introduction of synced passkeys, which enable passkey synchronization via third-party cloud services like Apple's iCloud Keychain and Google Password Manager, significantly enhancing user experience and backup security.

Another key consideration is the compatibility of passkeys with different Windows versions. While Windows 11 23H2 has improved passkey capabilities, including a new passkey management UI, questions remain about older versions like Windows 10 (21H2) and their support for discoverable credentials. Microsoft continues to work on broader compatibility to ensure enterprise customers with diverse device ecosystems can adopt passkey authentication.

In May 2024, Microsoft finally released the preview update for Microsoft Entra, introducing the capability to use the Microsoft Authenticator app on Android & iOS as passkey-provider for device-bound passkeys.

The rationale behind this implementation is tailored specificly to working and enterprise environments. In these managed settings, the priority is to ensure that the passkey remains secure and bound to the device. Synced passkeys, while convenient, pose a higher risk in such environments due to the potential for broader access. By utilizing the Microsoft Authenticator app as a passkey manager, the private keys are securely stored within the app, ensuring that they are removed upon reinstallation, thus maintaining a high level of security.

This strategic choice reflects Microsoft's commitment to providing robust security solutions tailored to the needs of enterprise users, balancing the benefits of modern passkey technology with the stringent security requirements of managed environments. Microsoft has released detailed instructions how to proceed to use passkeys with:

• How to activate Passkeys for Entra?: To activate passkeys in Microsoft Entra, sign in to the Entra admin center as an Authentication Policy Administrator. Go to Protection > Authentication methods > Authentication method policy. Under FIDO2 security key, select all users or specific groups. Allow self-service setup, disable attestation enforcement, and enable key restrictions. Add the Authenticator app AAGUIDs for Android (de1e552d-db1d-4423-a619-566b625cdc84) and iOS (90a3ccdf-635c-4729-a248-9b709135078f). Save the changes. A detailed step-by-step guide can be found here and describes the configuration until its done:

• How to configuring an iOS or Android device for Entra Passkeys?
  • For iOS: Open the Authenticator app, add a work or school account, sign in, complete MFA, and enable Authenticator as a passkey provider in the device settings. Third-party passkey-provider are only supported with iOS17 and above.
  • For Android: Open the Authenticator app, add a work or school account, sign in, complete MFA, and follow the on-screen prompts to enable passkeys. Third-party passkey-provider are only supported with Android 14 and above.
  • A detailed step-by-step guide can be found here.

Overall, the implementation is straightforward within the concept of a closed device system. We expect that in the future, when the passkey ecosystem itself supports implementing the device-bound keys (e.g. supplementalPubKeys), the implementation might change. Another possibility would be to leverage attestation that is available for managed iOS devices via enterprise attestation.

Microsoft Entra ID has now officially released support for synced passkeys, marking a transformative milestone for enterprise authentication. This update addresses the long-anticipated need for passkeys that work seamlessly across multiple devices without additional setup.

Synced passkeys provide superior phishing resistance compared to traditional MFA methods. Even sophisticated phishing attacks cannot compromise synced passkeys because they require a registered device and biometric or local PIN, and are registered to work only with specified sites or apps. Unlike codes sent via email or SMS that can be intercepted, passkeys won't present themselves to invalid phishing sites.

Users can now register synced passkeys directly through their account settings at My Sign-Ins. The process is straightforward:

• Select "Add a sign-in method" and choose "Passkey"
• Select "Create a Passkey Using Another Device"
• Choose "iPhone, iPad, or Android Device"
• Scan the QR code with the device's built-in camera app
• Complete biometric verification (Face ID or fingerprint)
• The passkey is automatically saved to iCloud Keychain or Google Password Manager

Once a synced passkey is registered, it automatically becomes available across all devices linked to the same cloud service. For example, after registering a passkey on an iPhone using iCloud Keychain, that same passkey is immediately usable on a Mac configured to sync with iCloud—no additional setup required.

When replacing a device, users don't need to re-register passkeys. The synced passkey automatically transfers to the new device through the cloud service, making the transition seamless.

Microsoft has introduced flexible passkey profiles in the Entra admin center, allowing administrators to configure different policies for different user groups:

• Administrators can create multiple passkey profiles under Authentication Methods > Passkeys
• Each profile can target specific user groups (e.g., all users, admin accounts, specific departments)
• Profiles support both device-bound and synced passkeys as target types

• Target Types: Choose between device-bound passkeys, synced passkeys, or both
• Enforce Attestation: For high-privileged accounts like admins, attestation can be enforced for single-device verification. Note that enforcing attestation removes synced passkeys as an option
• Target Specific Passkeys: Administrators can allow or block specific passkey providers using AAGUIDs (Authenticator Attestation Globally Unique Identifier)
• Flexible Provider Support: Unchecking "Target Specific Passkeys" allows all passkey providers, while checking it enables whitelisting specific providers

This granular control enables IT departments to balance security requirements with user convenience based on role and risk level.

Microsoft has introduced a passwordless account recovery method using Verified ID:

• Users who lose their device can recover their account without traditional password reset methods
• The process uses government-issued IDs and live selfie verification through a trusted identity provider
• After identity verification, users receive a Temporary Access Pass to register a new passkey
• This approach strengthens security against account recovery attacks and reduces helpdesk costs

Microsoft has enhanced session revocation capabilities for compromised accounts:

• When risk is detected, the user account is automatically set to high risk
• Conditional Access policies can automatically revoke user sessions in real-time
• High-risk users must re-authenticate using their passkey
• Successful re-authentication automatically lowers the risk level, enabling self-service recovery
• This provides more effective protection than previous options through real-time remediation

Synced passkeys in Microsoft Entra work with:

• Apple devices: iPhone, iPad, and Mac using iCloud Keychain (requires device camera for QR code scanning during registration)
• Android devices: Phones and tablets using Google Password Manager
• Browsers: Full support across Safari, Chrome, and other modern browsers

Microsoft's integration of passkeys into Microsoft Entra represents a forward-thinking approach to digital security. Starting with device-bound passkeys and now fully supporting synced passkeys, Microsoft has completed a crucial milestone in enhancing both security and user convenience. This phased rollout reflects a deep understanding of customer concerns and a commitment to gradual, secure technological evolution.

With the November 2025 release of synced passkeys, Microsoft Entra now offers enterprises a complete passkey solution that balances security requirements with user experience. The introduction of flexible passkey profiles, enhanced account recovery through Verified ID, and real-time risk mitigation through Conditional Access policies demonstrates Microsoft's comprehensive approach to modern authentication.

Microsoft is in a unique position within the passkey market, serving a significant portion of the desktop market in both consumer and enterprise environments with significant legacy installations. The company has moved deliberately, respecting the needs of large established enterprises while progressively adopting modern authentication standards. While Apple and Android moved faster with their consumer-focused update cycles, Microsoft's careful approach has resulted in a robust, enterprise-ready implementation.

The final piece of the puzzle remains bringing native synced passkey support to Windows Hello itself, which would complete the ecosystem. However, with current support for synced passkeys through third-party providers like iCloud Keychain and Google Password Manager, enterprises can already deploy comprehensive passkey-based authentication across their workforce.