Microsoft 365 Message Center Archive

MC718260 - Microsoft Entra ID: Authentication strength improvements to support passkeys

Message ID

MC718260

View in Message Center

Service

Microsoft Entra

Published

Feb 22, 2024

Tag

Feature update
User impact
Admin impact

Roadmap ID

182056

View in M365 Roadmap

Platforms

Android
Desktop
iOS
Mac
Web

Summary

Microsoft Entra ID will improve authentication strength to support passkeys stored on devices. Users will see new registration options in My Security Info. The rollout will begin in March 2024 and is expected to complete by mid-May 2024. No action is needed to prepare for this change, but you may want to update relevant documentation.

More information

Conditional Access authentication strengths in Microsoft Entra ID will be improved to support registration of device-bound passkeys (defined at passkeys.dev) stored on computers, security keys, and mobile devices. 

This message is associated with Microsoft 365 Roadmap ID 182056.

When this will happen:

Public Preview: We will begin rolling out early March 2024 and expect to complete by mid-March 2024.

Worldwide, GCC, GCC High, DoD: We will begin rolling out late April 2024 and expect to complete by early May 2024.

How this will affect your organization:

End user registration

Prior to this change, users who were in-scope for authentication strength enforcement who could not satisfy passkey (FIDO2) authentication requirements received an error message asking users to manually register the passkey (FIDO2) method.

With this rollout, in My Security Info, new registration options called Passkey (preview) and Passkey in Microsoft Authenticator (preview) will be shown to users who are interrupted to register a passkey (FIDO2) method to satisfy authentication strength requirements. Users that are required to register a passkey in Microsoft Authenticator will see a dedicated registration experience. Users whose organization requires specific passkeys from various vendors and manufacturers will be shown allowable AAGUIDS of the passkeys they can choose to register. No changes are expected to existing Conditional Access policies targeting security information registration.

Current:

user message

New:

user message

What you need to do to prepare:

For more information on changes to Microsoft Entra support for passkeys (FIDO2), please review our previous message center post MC690185: (Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business), (November 2023).

No action is needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate.