MC718260 - Microsoft Entra ID: Authentication strength improvements to support passkeys


Microsoft Entra

Last Updated

May 17, 2024

Published Feb 22, 2024


Updated message
Feature update
User impact
Admin impact




Microsoft Entra ID will improve authentication strength to support passkeys stored on devices. Users will see new registration options in My Security Info. The rollout will begin in mid-May 2024 and is expected to complete by early August 2024. No action is needed to prepare for this change, but you may want to update relevant documentation.

More information

Updated May 17, 2024: We have updated the rollout timeline below. Thank you for your patience.

Conditional Access authentication strengths in Microsoft Entra ID will be improved to support registration of device-bound passkeys (defined at stored on computers, security keys, and mobile devices. 

This message is associated with Microsoft 365 Roadmap ID 182056.

When this will happen:

Public Preview: We will begin rolling out mid-May 2024 (previously early March) and expect to complete by early June 2024 (previously mid-March).

Worldwide, GCC, GCC High, DoD: We will begin rolling out mid-July 2024 (previously late April) and expect to complete by early August 2024 (previously May).

How this will affect your organization:

End user registration

Prior to this change, users who were in-scope for authentication strength enforcement who could not satisfy passkey (FIDO2) authentication requirements received an error message asking users to manually register the passkey (FIDO2) method.

With this rollout, in My Security Info, new registration options called Passkey (preview) and Passkey in Microsoft Authenticator (preview) will be shown to users who are interrupted to register a passkey (FIDO2) method to satisfy authentication strength requirements. Users that are required to register a passkey in Microsoft Authenticator will see a dedicated registration experience. Users whose organization requires specific passkeys from various vendors and manufacturers will be shown allowable AAGUIDS of the passkeys they can choose to register. No changes are expected to existing Conditional Access policies targeting security information registration.


user message


user message

What you need to do to prepare:

For more information on changes to Microsoft Entra support for passkeys (FIDO2), please review our previous message center post MC690185: (Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business), (November 2023).

No action is needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate.