MC1221452 - (Update)Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants

Message Center

Metadata at latest

Message ID

MC1221452

View in Message Center

Last Updated

Apr 15, 2026

Published Jan 23, 2026

Service

Microsoft Entra

Tag

Major change

Updated message

New feature

User impact

Admin impact

Metadata changes

Title: Microsoft Entra ID: Auto-enabling passkey profiles(Update)Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants
Tags: Admin impact, New feature, User impactAdmin impact, New feature, Updated message, User impact
End date: Aug 31, 2026Oct 5, 2026

Body changes

removed textadded text

Updated April 15, 2026: We have updated the content. Thank you for your patience.

Introduction

Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property.

Important: Only tenants that already have Passkeys (FIDO2) enabled are affected by this update.

The passkeyType property enables admins to configure:

Device-bound passkeys
Synced passkeys
Both

If ayour tenant ~~does~~already has Passkeys (FIDO2) enabled and you do not opt in to passkey profiles during the initial rollout window, ~~the new schema~~your tenant will be automatically ~~enabled~~migrated to the passkey profiles schema at the date range specified below. When this occurs:

Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile.
The passkeyType value will be set based on the tenant’s current attestation settings. Synced passkeys will be enabled for tenants with attestation enforcement disabled.
~~For tenants that have~~No new authentication methods are enabled as part of this migration.
This migration also impacts Authentication methods registration campaign set to “Microsoft managed” state, which uses passkey configuration settings to determine which registration prompts are shown to users.

Authentication Methods Registration Campaign changes (Microsoft-Managed Only)

Tenants are impacted when all the following conditions are met:

The Passkeys (FIDO2) authentication method policy is Enabled
Authentication methods registration campaign is set to “Microsoft managed” state
Allow self-service setup is Enabled
Target specific AAGUIDs is not selected (no AAGUID restrictions configured)
The Authentication Methods Registration Campaign state is set to Microsoft-managed
The tenant has at least one user enabled for both synced passkeys ~~enabled,~~ and device‑bound passkeys
Only users who are enabled for both synced passkeys and device‑bound passkeys, with no passkey profile restrictions configured (i.e. attestation enforcement, AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For these tenants, Microsoft-managed registration ~~campaigns~~campaign settings will ~~update~~be updated after passkey profile automatic migration is complete. We will roll out changes incrementally to ~~target passkeys.~~in-scope tenants according to the timeline outlined below.

When this will happen

Passkey profile and Synced passkeys General Availability ~~(Worldwide):~~
- Public cloud Worldwide: Rollout begins in early March 2026 and is expected to complete by late March 2026.
  - ~~Automatic enablement for tenants that have not yet opted in (Worldwide):~~GCC, GCC High, DoD clouds: Rollout begins in early ~~April~~May 2026 and is expected to complete by late May 2026.
- ~~General Availability (GCC, GCC High, and DoD):~~ USNat, USSec:Rollout begins in early ~~April~~July 2026 and is expected to complete by late ~~April 2026.~~July 2026
Automatic migration for existing passkeys (FIDO2) enabled tenants
- ~~Automatic enablement for tenants that have not yet opted in (GCC, GCC High, and DoD):~~Public cloud Worldwide: Rollout begins in early ~~June~~May 2026 and is expected to complete by late June ~~2026.~~2026
- GCC, GCC High, DoD clouds: Rollout begins in early August 2026 and is expected to complete by late August 2026
- USNat, USSec: Rollout begins in early August 2026 and is expected to complete by late August 2026
Authentication Methods registration campaign changes in Microsoft-Managed state (for in-scope tenants):
- Public cloud Worldwide: Rollout begins in early May 2026 and is expected to complete by late June 2026
How this affects your organization

~~Who is affected:~~ ~~All Microsoft Entra ID~~Automatic migration for existing passkeys (FIDO2) enabled tenants
What will happen:
If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles.

Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile
New passkeyType property will be auto-populated
If enforce attestation is enabled, then device-bound allowed
If enforce attestation is disabled, then device-bound and synced allowed
Any existing key restrictions will remain intact
Any existing user targets will be assigned to the Default passkey profile
~~Registration Campaign behavior (Microsoft-managed campaigns only)~~
~~For tenants where synced passkeys are enabled, if your~~Authentication Methods registration campaign ~~is set to~~changes in Microsoft-~~managed:~~
~~The targeted authentication method~~Managed state (for in-scope tenants)
What will happen:
Microsoft-managed registration campaign settings will be ~~updated~~updated:
"Targeted authentication method” will change from Microsoft Authenticator to ~~passkeys~~“passkeys (FIDO2)”.
“Days allowed to snooze” setting will change from 3days to “1 day”. This setting will no longer be configurable.
“Limited number of snoozes” setting will change from Enabled to "Disabled”. This setting will no longer be configurable.
The default user targeting will be updated from voice call or text messageusers to all multifactor authentication (MFA) capable users.
~~The settings~~ ~~Limited number of snoozes~~ ~~and~~ ~~Days allowed~~
What is the end user impact:
Once the above changes have taken effect, users targeted in the registration campaign will begin to ~~snooze~~ ~~will no longer be configurable. These will be set to allow unlimited snoozes with a one-day reminder cadence.~~
receive passkey registration nudges during sign-in flows after they have completed multifactor authentication.

What you can do to prepare
If you want a configuration different from the migration defaults, review the timeline above and opt in to passkey profiles before your tenant’s automatic enablement window begins. Then configure the Default passkey profile’s passkeyType to your preferred values.
We also recommend:
Review your registration campaign configuration, especially if its set to Microsoft-managed. If you ~~want synced passkeys enabled in your tenant but~~ do not want registration campaign to target passkeys, you can:
Switch the registration campaign state to Enabled and continue targeting Microsoft Authenticator, or
Set the registration campaign state to Disabled.
Update runbooks and help content so your help desk and end users understand any changes in passkey availability or behavior.
Learn more:
Enable passkeys for your organization - Microsoft Entra ID | Microsoft Learn
How to Enable Passkey (FIDO2) Profiles in Microsoft Entra ID (preview) - Microsoft Entra ID | Microsoft Learn
How to Enable Synced Passkeys (FIDO2) in Microsoft Entra ID (preview) - Microsoft Entra ID | Microsoft Learn
~~How to run a registration campaign to set up Microsoft Authenticator - Microsoft Entra ID | Microsoft Learn~~
Synced passkeys FAQ - Microsoft Entra ID | Microsoft Learn

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.