Microsoft has announced that starting in March 2026, Entra ID will automatically enable passkey profiles and introduce support for synced passkeys. This new feature offers administrators more flexibility and control over their authentication settings, ensuring a more secure and efficient user management experience. The Microsoft Entra ID passkeys update will make passkey profiles widely available, bringing enhanced security options for organizations globally.
New Passkey Profiles and Synced Passkeys Available
The update will move passkey profiles into general availability, allowing administrators to leverage group-based configurations. This feature enables security teams to apply specific passkey policies to selected user groups rather than managing settings across the entire tenant. The central update introduces a new property called passkeyType, which lets admins determine the types of passkeys users can register—options include device-bound passkeys, synced passkeys, or a combination of both. This level of control helps organizations fine-tune their passkey usage according to their needs.
Automatic Migration for Tenants That Don’t Opt-In
Microsoft has planned a staged rollout for the new passkey profiles experience. Organizations can opt-in during the initial rollout phase. For those that do not opt in, the migration to the new system will occur automatically at a later stage. During the automatic migration, current FIDO2 passkey authentication settings will be moved to the default passkey profile, with the passkeyType set based on the organization’s current configuration.
Synced Passkeys and Changes to Registration Campaigns
For tenants that have already allowed synced passkeys, Microsoft will update its managed registration campaigns. The new campaigns will now target passkeys as part of the registration flow. This update ensures that all organizations, whether they are early adopters of synced passkeys or not, can benefit from the enhanced passkey experience when the migration occurs.
What This Means for Administrators
Microsoft has not indicated that administrators need to take immediate action, but organizations are encouraged to review their current FIDO2 and passkey settings ahead of the March 2026 rollout. Organizations can choose whether to opt in early or allow the automatic migration to take place. This update will give administrators more time to assess and adjust their settings for optimal security configurations.
The upcoming changes to Microsoft Entra ID, including the automatic enablement of passkey profiles and support for synced passkeys, mark a significant shift in how organizations can manage authentication. These updates offer increased flexibility and enhanced security, ultimately improving user management and access control across environments. As Microsoft continues to refine this feature, businesses will gain more tools to strengthen their cybersecurity posture.
