MC1279092 - Microsoft Entra: Passkeys in registration campaigns update

Introduction

We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.

Based on ongoing improvements to passkey registration nudge logic and user experience behavior, Passkeys (FIDO2) will no longer move forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746. 

Instead, we are continuing to refine the eligibility logic that determines when users receive passkey registration nudges during sign-in. In the interim, Passkey (FIDO2) will move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria. 

When this will happen

• General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.

How this affects your organization

Who is affected

• Microsoft Entra tenants using Authentication Methods Registration Campaigns
• Tenants with Passkeys (FIDO2) enabled
• Only tenants that meet the Microsoft‑managed eligibility criteria described below

What will happen

Enabled state

• Passkeys (FIDO2) will not be supported as the targeted authentication method for Registration Campaigns in the Enabled state at this time.
• We are continuing to improve registration campaign nudge behavior and eligibility logic to better align with passkey configuration and profile scope.
• Further updates will be shared when support for the Enabled state becomes available.

Microsoft‑managed state

• Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.

Tenants are impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is Enabled.
• Allow self‑service setup is Enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
• The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.

Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For impacted tenants, the following Registration Campaign settings will be automatically updated:

• Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
• Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
• Default user targeting changes from voice call or text message users to all MFA‑capable users.

After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.

Rollout will occur incrementally across eligible Microsoft Entra tenants.

What you can do to prepare

No action is required at this time.

If you plan to enable passkey registration nudges in the future:

• Ensure users are enabled for both synced and device‑bound passkeys.
• Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
• Set your Authentication Methods Registration Campaign to Microsoft‑managed.

Compliance considerations