MC1247893 - Microsoft Entra passkeys on Windows now support phishing-resistant sign-in

Introduction

We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). It also expands passwordless authentication to Windows devices that aren’t Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords.

When this will happen

• Public preview: Rolling out from mid-March 2026 through late April 2026
• General Availability
  • Worldwide: Mid‑March 2026 to mid‑April 2026
  • GCC: Mid-April 2026 to mid-May 2026
  • GCC High: Mid-April 2026 to mid-May2026
  • DoD: Mid-April 2026 to Mid-May 2026

How this affects your organization

Who is affected

• Organizations using Microsoft Entra ID whose users sign in from Windows devices, including corporate‑managed, personal, and shared PCs.

What will happen

• There is no impact to your organization unless you opt in.
• Microsoft Entra passkeys on Windows will be available as a phishing‑resistant, passwordless sign‑in option for Entra‑protected cloud resources.
• Users will authenticate with Windows Hello (face, fingerprint, or PIN).
• Users can use passkeys on Windows devices that are not Entra‑joined or registered, enabling use on personal, shared, and unmanaged PCs.
• Users can sign-in to multiple Entra accounts on the same Windows device, with each account registering its own passkey.
• Passkeys on Windows are device‑bound and do not sync across devices; each device requires separate registration per Entra account.
• Windows Hello for Business remains recommended for managed, Entra‑joined or registered devices; passkeys supplement unmanaged device scenarios and do not support device sign‑in.
• Existing Conditional Access and authentication strength policies continue to apply with no required configuration changes unless you choose to enable passkeys.
• Users can’t register a passkey on Windows if a Windows Hello for Business credential already exists for the same account and container. This block may not apply once the user exceeds 50 total credentials across passkeys (FIDO2), Windows Hello for Business, and Mac Platform Credentials.  

What you can do to prepare

If you want to enable Entra passkeys on Windows during public preview:

• Enable the Passkeys (FIDO2) authentication method in Authentication Methods policies.
• Create a passkey profile and configure:
  • Attestation enforcement: Disabled
  • Key restrictions: Enabled
  • Allowed AAGUIDs (required during preview):
    • Windows Hello Hardware Authenticator: 08987058-cadc-4b81-b6e1-30de50dcbe96
    • Windows Hello VBS Hardware Authenticator: 9ddd1817-af5a-4672-a2b9-3e3dd95000a9
    • Windows Hello Software Authenticator: 6028b017-b1d4-4c02-b4b3-afcdafc96bb2
    • Note: During Public Preview, you must explicitly add these Windows Hello AAGUIDs to the allowed list.
• Assign the passkey profile to appropriate groups.
• Validate Conditional Access and authentication strengths policies to ensure they support passkey authentication.
• Communicate with pilot users about supported scenarios and enrollment steps.
• Update internal documentation if your organization tracks approved authentication methods.

If you do not plan to participate in the public preview, no action is required.

Learn more: How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Learn

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.