Microsoft has announced that passkey profiles and synced passkeys in Microsoft Entra ID will reach General Availability starting March 2026 for tenants that already have Passkeys (FIDO2) enabled. This update introduces a new passkey profiles experience and a new passkeyType property.
This change matters because it updates how passkeys are managed in Entra ID and affects existing Passkeys (FIDO2) configurations in tenants where the feature is already enabled.
What is changing
Microsoft is introducing a new way to manage passkeys in Entra ID. Instead of using one broad setup for all internal users, organizations will be able to use passkey profiles to apply different passkey settings to different groups of users.
As part of this change, admins will also be able to choose whether users can register device-bound passkeys, synced passkeys, or both.
What happens to existing configurations
This update only affects organizations that already have Passkeys (FIDO2) enabled. If your organization uses them today and you do not switch to passkey profiles before Microsoft makes the change automatically, your current passkey setup will be moved to the new model.
Your current restrictions and user assignments will stay in place, and no new sign-in method is being turned on as part of this change. Depending on your current settings, your organization will end up allowing either device-bound passkeys only, or both device-bound and synced passkeys.
Figure 1:Example of Passkey Profiles
Registration campaign impact
Some organizations will also see a change in the prompts shown to users during sign-in. If your organization uses the Authentication Methods registration campaign in the Microsoft-managed configuration, users may begin seeing prompts to register a passkey after they complete multifactor authentication.
The easiest way to tell if you are affected is to check four things:
- Passkeys (FIDO2) are already enabled in your organization
- The Registration campaign is set to Microsoft-Managed
- In your passkey settings, Allow self-service setup is enabled.
- You are not using specific AAGUID targets or restrictions.
For affected organizations, the registration campaign will change in a few ways. The targeted authentication method will move from Microsoft Authenticator to Passkeys (FIDO2). The snooze period will change from 3 days to 1 day. The limit on snoozes will be removed. Default targeting will also expand from voice call or text message users to all multifactor authentication capable users.
Once these changes take effect, targeted users will begin seeing passkey registration prompts during sign-in after completing multifactor authentication. The image below shows a similar registration prompt experience in Microsoft Entra, although this example is for Microsoft Authenticator rather than passkeys.
Timeline
Passkey profiles and synced passkeys will begin rolling out to General Availability in the public cloud worldwide in early March 2026, with completion expected by late March 2026.
For tenants that already have Passkeys (FIDO2) enabled, automatic migration in the public cloud worldwide begins in early April 2026 and is expected to complete by late May 2026.
Authentication Methods registration campaign changes in Microsoft-managed state: If your organization is in scope for this change, users may start seeing passkey registration prompts during sign-in sometime between early April 2026 and late May 2026, depending on when the update reaches your tenant.
What admins should do
If your organization wants to keep more control over how passkeys are set up, it is worth reviewing your current settings before Microsoft applies the changes automatically. Organizations that want something different from the default migration behavior should move to passkey profiles before their automatic enablement window begins. After that, admins can adjust the Default passkey profile to allow the passkey types they want to support. For setup and configuration guidance, see Microsoft’s documentation on How to enable passkeys (FIDO2) in Microsoft Entra ID.
It is also worth reviewing your registration campaign settings. A registration campaign is the sign-in prompt Microsoft Entra can show to encourage users to register a more secure authentication method.
If your organization uses the Microsoft-managed option, Microsoft may automatically switch that prompt from Microsoft Authenticator to Passkeys (FIDO2) for in-scope tenants. If you do not want passkeys to be the method promoted in that prompt, you can change the registration campaign setting to Enabled to continue targeting Microsoft Authenticator, or set it to Disabled to turn the prompt off. For more detail, see Microsoft’s documentation on How to run a registration campaign to set up Microsoft Authenticator.
It is also a good idea to update runbooks, help content, and support guidance so helpdesk teams and end users understand any changes in passkey availability or sign-in prompts.
Bottom line
This update introduces a new model for managing passkeys in Microsoft Entra ID and sets a clear migration path for tenants that already use Passkeys (FIDO2).
For administrators, the immediate task is to review current settings, understand how migration will apply existing attestation choices, and decide whether any changes are needed before automatic enablement begins.