How to Enable and Roll Out Microsoft Authenticator Passkeys in Microsoft Entra ID: A Step-by-Step Guide

13 Min. Read

Passwords are no longer enough. Even with multifactor authentication (MFA), many organizations are still exposed to phishing-resistant gaps. Traditional MFA methods such as SMS, voice calls, OTP codes, and even push notifications can still be targeted by phishing, MFA fatigue, or adversary-in-the-middle attacks.

This is where Passkeys come in.

Passkeys are based on FIDO2 standards and use public/private key cryptography. The private key never leaves the user’s device or authenticator, and there is no password or shared secret that can be stolen and replayed by an attacker.

In this article, we will look at how to enable and roll out Microsoft Authenticator Passkeys in Microsoft Entra ID, starting with admin accounts first, then expanding to all users.

Why Microsoft Authenticator Passkeys?

The first question you may ask is, why should we prioritize Microsoft Authenticator Passkeys now?

The answer is simple: Microsoft is moving the sign-in experience away from passwords and toward stronger, phishing-resistant credentials.

There are two important Microsoft changes to be aware of.

First, Microsoft published Message Center MC1221452, titled Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants. According to the Message Center notification, Microsoft introduced passkey profiles and synced passkeys to General Availability for tenants with Passkeys (FIDO2) enabled. Existing configurations are migrated into a Default passkey profile, and administrators can configure the new passkeyType property to allow device-bound passkeys, synced passkeys, or both.

You can check the Message Center notification directly in your tenant here: Microsoft 365 Message Center – MC1221452

Second, Microsoft Learn documents System-preferred authentication. This feature prompts users to sign in using the most secure method they have registered. For example, if a user has both a password and a passkey registered, Microsoft Entra ID can prefer the passkey instead of the password. Microsoft notes that the Microsoft-managed behavior affects both first-factor and multifactor authentication and is being gradually deployed to tenants through July 2026.

You can read the official Microsoft Learn documentation here: System-preferred authentication in Microsoft Entra ID

In other words, if a user has a strong phishing-resistant credential such as a passkey, the sign-in experience can become passwordless. This improves both security and user experience.

For organizations already investing in Microsoft Entra ID, Conditional Access, and Zero Trust, Microsoft Authenticator Passkeys are a practical next step. If you are preparing your tenant for Microsoft MFA enforcement and stronger authentication controls, you may also want to read my previous article: Azure Mandatory MFA Planning Guide – Boost Security.

What are Passkeys?

A passkey is a phishing-resistant credential based on FIDO2/WebAuthn standards. So, instead of relying on a password that can be stolen, reused, or phished, a passkey uses a cryptographic key pair:

  • The private key remains protected on the device or authenticator.
  • The public key is registered with the service, such as Microsoft Entra ID.
  • During sign-in, Microsoft Entra ID sends a challenge.
  • The authenticator signs the challenge with the private key.
  • Microsoft Entra ID validates the response using the public key.

There is no password to type, no code to copy, and nothing useful for an attacker to steal from the user. And the good news is that Microsoft Entra ID already supports Passkeys under the Passkey (FIDO2) authentication method.

Microsoft Authenticator Passkeys in Microsoft Entra ID
Microsoft Authenticator Passkeys provide phishing-resistant sign-in for Microsoft Entra ID

Admin-first deployment strategy

For this deployment, we will focus on Microsoft Authenticator Passkeys and start with admin accounts first. This is the recommended approach because administrative accounts have privileged access and are high-value targets for attackers.

Please note that enabling a passkey profile and enforcing a passkey requirement are two different things.

The Passkey profile controls who can register and use specific types of passkeys.

The Conditional Access policy controls who is required to use phishing-resistant MFA when accessing cloud resources.

Prerequisites

Before you start, make sure you have the following:

1) Licensing: You need Microsoft Entra ID licensing that supports Conditional Access and Authentication Strengths. Recommended licenses:

  • Microsoft Entra ID P1 for Conditional Access
  • Microsoft Entra ID P2 for Identity Protection and privileged access scenarios
  • Microsoft Entra Suite or Microsoft 365 E5, depending on your environment

2) Admin roles: You need the following roles:

3) Devices: For Microsoft Authenticator Passkeys, users need:

  • Microsoft Authenticator installed
  • iOS 17 or later, or Android 14 or later
  • Device screen lock enabled
  • Internet connectivity
  • Bluetooth enabled for cross-device authentication scenarios

Microsoft Authenticator passkeys are device-bound, which means they are tied to the mobile device where they are created.

Assuming you have all the prerequisites in place, take the following steps:

Step 1: Prepare emergency access accounts

Before enabling any strong Conditional Access policy, make sure you have at least two emergency access, or break-glass, accounts.

This step is critical because Conditional Access policies can block access to Microsoft Entra ID if they are misconfigured. If the only administrator account is impacted by a new policy, you could lock yourself out of the tenant. You can skip this step if you already have these emergency accounts in place.

Emergency access accounts should be:

  • Cloud-only accounts
  • Excluded from Conditional Access policies
  • Monitored with alerts
  • Protected with strong credentials
  • Stored securely
  • Used only for emergencies

Suggested naming convention:

  • bg-admin-01@tenant.onmicrosoft.com
  • bg-admin-02@tenant.onmicrosoft.com

Microsoft recommends creating at least two emergency access (break-glass) accounts in your tenant. Having exactly two ensures redundancy while keeping your attack surface small. If one account is compromised or lost during an emergency, you have a secondary backup to regain access.

Verify that emergency access accounts are excluded from any Conditional Access policy that blocks or restricts sign-in. Then sign in with both accounts before continuing. Test access to:

Do not continue until emergency access is confirmed.

Emergency access exclusion group in Microsoft Entra Conditional Access
Always validate emergency access accounts before enforcing phishing-resistant MFA

Related article: How To Safely Disable Security Defaults in Microsoft Entra ID

Step 2: Create the admin pilot group

The next step is to create a dedicated security group for the admin pilot.

This group allows you to control exactly which administrators are part of the first rollout wave. Instead of enabling Passkeys for all administrators at once, you start with one or two test accounts, validate the experience, and then expand gradually.

Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Groups > New group. Create the following group:

  • Group type: Security
  • Group name: GRP-Pilot-Passkey-Admins
  • Membership type: Assigned

Add only one or two admin accounts for the first test. For example:

  • Global Administrator
  • Security Administrator
  • Authentication Administrator
  • Conditional Access Administrator
  • Privileged Role Administrator

Do not add all admins at once. Keep the first pilot small. This new security group will be used in two places:

  1. The Passkey profile assignment
  2. The Conditional Access policy assignment
Microsoft Entra admin pilot group for Passkeys
Start with a small admin pilot group before expanding the rollout

Step 3: Enable Passkey Profiles

Now we will enable Passkey profiles in Microsoft Entra ID. Passkey profiles allow administrators to define different Passkey configurations for different groups of users. For example, you can create a stricter profile for administrators and a different profile for standard users.

Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Authentication methods > Policies > Passkey (FIDO2)

If your tenant shows a banner to enable Passkey profiles, enable it.

Important: After you enable Passkey profiles, you cannot opt out. Microsoft automatically transfers existing global Passkey (FIDO2) settings into a Default passkey profile.

At the time of writing, the Microsoft Entra admin center shows that up to 10 passkey profiles are supported. Your previous Passkey (FIDO2) settings are moved into the Default passkey profile when profiles are enabled.

Note: Microsoft documentation and portal text can sometimes differ during staged rollouts. Always validate the current limit in your own Microsoft Entra admin center before planning a large multi-profile deployment.

Enable Passkey profiles in Microsoft Entra ID
Passkey profiles allow group-based configuration of Passkeys in Microsoft Entra ID

Step 4: Create the Microsoft Authenticator Passkey profile

Next, we need to create a dedicated Passkey profile for Microsoft Authenticator. This profile controls which type of Passkeys are allowed for the targeted group. In this example, we want a strict admin profile that allows only device-bound Microsoft Authenticator Passkeys.

Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Authentication methods > Policies > Passkey (FIDO2)

2) Passkey (FIDO2) > Configure > + Add passkey profile

3) Use the following settings:

  • Name: Passkey – Admins – Microsoft Authenticator
  • Passkey type: Device-bound
  • Enforce attestation: Yes
  • Target specific AAGUIDs: Yes
  • Behavior: Allow
  • Model/Provider AAGUIDs:
    • Microsoft Authenticator for Android
    • Microsoft Authenticator for iOS

This configuration means that only device-bound passkeys created by Microsoft Authenticator on iOS or Android are allowed. Microsoft Authenticator AAGUIDs:

  • Microsoft Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
  • Microsoft Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

For the first lab test, you can set Enforce attestation to No to reduce registration friction. However, for production admin accounts, I recommend using:

  • Enforce attestation: Yes
  • Passkey type: Device-bound
  • Target specific AAGUIDs: Yes
  • Behavior: Allow
  • Allowed providers: Microsoft Authenticator for Android and iOS

Please note that when attestation is enabled, users must register the passkey directly from Microsoft Authenticator. Cross-device registration flows do not support attested passkey registration.

Microsoft Authenticator Passkey profile in Microsoft Entra ID
Dedicated Passkey profile for Microsoft Authenticator with device-bound passkeys and AAGUID restrictions

Step 5: Assign the profile to the admin pilot group

After creating the profile, assign it to the admin pilot group. Creating a Passkey profile alone does not make it available to users. You must also assign the profile to a target group.

Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Authentication methods > Policies > Passkey (FIDO2)

2) Passkey (FIDO2) > Enable and Target > + Add target

Configure the target:

  • Target: Select targets
  • Group: GRP-Pilot-Passkey-Admins
  • Assigned passkey profile: Passkey – Admins – Microsoft Authenticator
Assign Passkey profile to Microsoft Entra admin pilot group
The Passkey profile is assigned only to the admin pilot group

The final state should be:

  • Passkey (FIDO2): Enabled
  • Target group: GRP-Pilot-Passkey-Admins
  • Assigned profile: Passkey – Admins – Microsoft Authenticator
  • Self-service setup: Yes
  • Allowed provider: Microsoft Authenticator only

Also confirm that Allow self-service set-up is enabled, as shown in the figure below.

Allow self-service set-up
Allow self-service set-up

If this setting is disabled, users cannot register a passkey from the Security Info page even if Passkey (FIDO2) is enabled.

Step 6: Enable Temporary Access Pass for onboarding and recovery

Temporary Access Pass, or TAP, is optional, but highly recommended for onboarding and recovery.

TAP is useful because it solves the passwordless bootstrap problem. To register a Passkey, the user must first authenticate strongly. If the user does not yet have a strong authentication method available, or if the admin has lost access to their existing method, TAP provides a temporary, controlled way to sign in and register a new Passkey.

You can use TAP for scenarios such as:

  • Initial Passkey registration
  • New administrator onboarding
  • Lost or replaced phone
  • Broken Microsoft Authenticator registration
  • Recovery from failed or missing authentication methods

Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Authentication methods > Policies > Temporary Access Pass

Enable TAP for the pilot group:

  • Enable: Yes
  • Target: GRP-Pilot-Passkey-Admins
Temporary Access Pass for Microsoft Authenticator Passkey onboarding
Temporary Access Pass can help bootstrap passwordless authentication methods such as Passkeys

The recommended settings for the admin pilot:

  • Minimum lifetime: 1 hour
  • Maximum lifetime: 8 hours
  • Default lifetime: 1 hour
  • One-time use: Yes
  • Length: 12 characters
Configure Temporary Access Pass settings
Configure Temporary Access Pass settings

TAP should not be treated as a normal user sign-in method. It should be issued only by authorized administrators, used for a specific onboarding or recovery scenario, and monitored.

If all your pilot administrators already have a valid MFA method and can register Microsoft Authenticator Passkey without issue, TAP is not mandatory. However, I still recommend enabling it for the pilot group so that you have a clean recovery path during the rollout.

Step 7: Register a Passkey in Microsoft Authenticator

Now each pilot administrator must register a Microsoft Authenticator Passkey. The preferred registration flow is directly from the Microsoft Authenticator app on your mobile device:

Open Microsoft Authenticator

  • → Select the work or school account
  • → Create passkey

If the account is not already added to Microsoft Authenticator, then open Microsoft Authenticator:

  • → Add account
  • → Work or school account
  • → Sign in
  • → Complete MFA or use Temporary Access Pass
  • → Create passkey

Alternative registration flow through the Security Info page at https://aka.ms/mysecurityinfo

  • → + Add sign-in method
  • → Passkey in Microsoft Authenticator
Register Microsoft Authenticator Passkey in Security Info
Users can register a Passkey from Microsoft Authenticator or Security Info

The recommended naming convention:

  • Authenticator Passkey – iPhone – Admin
  • Authenticator Passkey – Android – Admin
  • Authenticator Passkey – iPhone – Username

After registration, the admin should immediately test sign-in in a private browser session. Learn how to register passkeys in Microsoft Authenticator on Android and iOS.

Step 8: Create the Conditional Access policy

The Passkey profile controls who can register and use Microsoft Authenticator Passkeys. The Conditional Access policy controls who must use phishing-resistant MFA to access cloud resources.

Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Conditional Access > Policies > + New policy

2) Create the policy:

  • Name: CA0##-Admins-AllApps-RequirePhishingResistant_MFA-P2

Users or workload identities

For the pilot, use the group:

  • Include: Users and groups → GRP-Pilot-Passkey-Admins

Exclude emergency access accounts:

  • Exclude: Emergency access group / Break-glass accounts

Do not target All users yet, and do not target Directory roles yet for the first pilot. Once the pilot is validated, you can create a production version targeting privileged directory roles.

Target resources

Configure:

  • Include: All resources / All cloud apps

Conditions

For the first pilot, do not configure risk, platform, location, or device filters.

  • Conditions: Not configured

This keeps the pilot simple and ensures that the policy applies to the sign-in.

Grant controls

Configure:

  • Grant access: Require authentication strength → Phishing-resistant MFA

As shown in the figure below, Require multifactor authentication cannot be selected at the same time. Microsoft Entra does not allow Require authentication strength and Require multifactor authentication to be used together in the same Grant control.

Conditional Access policy requiring phishing-resistant MFA
Use Authentication Strength and select Phishing-resistant MFA for admin access

Enable policy

Start with:

  • Enable policy: Report-only

Save the policy.

Step 9: Test Conditional Access policy in Report-only mode

The report-only mode allows you to validate the policy’s impact before enforcing it. Open a new InPrivate browser session and sign in to https://entra.microsoft.com with the pilot admin account.

Use Microsoft Authenticator Passkey. Then go to:

1) Entra ID > Monitoring & health > Sign-in logs

Open the sign-in event and select the Report only tab. The expected result:

  • Policy name: CA0##-Admins-AllApps-RequirePhishingResistant_MFA-P2
  • Result: Report-only > Success
Conditional Access Report-only success for phishing-resistant MFA
Report-only mode confirms that the policy would succeed before enforcing it

This means the policy matched the sign-in, and the admin satisfied the phishing-resistant MFA requirement.

If the result is Report-only > Not applied, then the policy did not match the sign-in. The common reasons could be:

  • The user is not in the pilot group.
  • The user is excluded from the policy.
  • The target app does not match.
  • A condition such as user risk, sign-in risk, location, or platform is configured and not matched.

In one of my tests, the account was excluded because it was a member of an emergency exclusion group. After removing the normal admin test account from that exclusion group, the policy applied correctly.

Step 10: Enable the Conditional Access policy

After successful Report-only validation, enable the policy. Open the Microsoft Entra admin center and take the following steps:

1) Go to Entra ID > Conditional Access > Policies:

  • Policy name: CA0##-Admins-AllApps-RequirePhishingResistant_MFA-P2

2) Change: Enable policy > On

Save the policy, and keep the policy scoped only to:

  • GRP-Pilot-Passkey-Admins

Do not expand the scope yet.

Step 11: Validate the sign-in logs

After enabling the policy, open a new InPrivate browser session and sign in again to https://entra.microsoft.com with the pilot admin account.

Use Microsoft Authenticator Passkey. Then go to:

1) Entra ID > Monitoring & health > Sign-in logs

Open the sign-in event and select the Conditional Access tab. The expected result:

  • Policy name: CA0##-Admins-AllApps-RequirePhishingResistant_MFA-P2
  • Result: Result > Success
Conditional Access policy success for Microsoft Authenticator Passkey
The Conditional Access policy is now active and successfully enforced

Then open the Authentication details tab. The expected result:

  • Authentication policies applied: Conditional Access, Authentication Strength(s)
  • Succeeded: Yes
  • Requirement: Phishing-resistant MFA
Authentication details showing phishing-resistant MFA satisfied
The sign-in log confirms that the phishing-resistant MFA requirement was satisfied

Sometimes you may see “Previously satisfied“. This means the current session already had a valid authentication claim that satisfied the phishing-resistant MFA requirement.

For a clean test, do the following:

  1. Sign out.
  2. Close all browser windows.
  3. Open a new InPrivate browser session.
  4. Sign in again.
  5. Use Microsoft Authenticator Passkey.
  6. Review the sign-in logs.

You can also test from another browser or revoke the user’s sessions before testing again.

Step 12: Roll out to all users

Once the admin pilot is validated, expand gradually. Recommended rollout waves:

  • Wave 1: IT and Security administrators
  • Wave 2: Helpdesk and support teams
  • Wave 3: High-risk departments such as Finance, HR, and Legal
  • Wave 4: Executives and VIP users
  • Wave 5: All standard users

For standard users, you may choose a different profile depending on your security and user experience requirements. For example:

  • Admins: Device-bound Microsoft Authenticator Passkeys with attestation
  • Standard users: Microsoft Authenticator Passkeys or synced passkeys, depending on the security strategy

You can also use a registration campaign to nudge users to register passkeys.

Before expanding to all users, prepare the following:

  • End-user communication
  • Helpdesk runbook
  • Temporary Access Pass process
  • Recovery process for lost phones
  • Known limitations
  • Mobile OS requirements
  • Monitoring and reporting
  • Registration campaign, if applicable

A controlled rollout reduces the impact on support and allows you to detect registration issues before expanding to the entire organization.

Related article: Strengthen Microsoft 365 To Combat Phishing Threats

Troubleshooting

Even with a clean deployment plan, you may encounter issues during Passkey registration, Conditional Access validation, or sign-in testing. In this section, we will look at the most common issues you may face when enabling Microsoft Authenticator Passkeys in Microsoft Entra ID and how to troubleshoot them.

Conditional Access policy shows “Not applied”

If the policy shows Not applied in the sign-in logs, it means the policy did not match the sign-in event. This is usually caused by one of the following:

  • The user is not included in the policy.
  • The user is excluded from the policy.
  • The user is a member of an emergency access exclusion group.
  • The target cloud app does not match.
  • A condition such as risk, location, platform, or client app is configured and not matched.

Open the sign-in event, go to the Conditional Access or Report only tab, and review the policy details. In my lab, the policy was not applied because the admin test account was part of an emergency exclusion group. After correcting the group membership, the policy applied successfully.

Report-only shows “Failure” or “User action required”

If the policy shows Report-only: Failure or User action required, the policy matched the sign-in, but the user did not satisfy the required grant control.

For this deployment, the user must satisfy:

  • Authentication strength → Phishing-resistant MFA

Make sure the user is signing in with Microsoft Authenticator Passkey, not only Microsoft Authenticator push notification. Push notification can satisfy classic MFA, but it does not provide the same phishing-resistant protection as Passkey/FIDO2.

Passkey registration is not available

If the user cannot register a Passkey, first confirm that the user is included in the Passkey authentication method policy. Check:

Microsoft Entra admin center
→ Protection
→ Authentication methods
→ Policies
→ Passkey (FIDO2)

Verify that:

  • The user is in the targeted group.
  • The correct Passkey profile is assigned.
  • Allow self-service setup is set to Yes.
  • Microsoft Authenticator is installed.
  • The mobile OS is supported.
  • Screen lock is enabled on the device.

If Allow self-service set-up is disabled, users cannot register Passkeys from the Security Info Page even if the method is enabled.

Passkey registration fails when attestation is enabled

If Enforce attestation is enabled in the Passkey profile, users should register the Passkey directly from the Microsoft Authenticator app. If registration fails, verify that:

  • Microsoft Authenticator is up to date.
  • The mobile OS is supported.
  • Screen lock is enabled.
  • The Microsoft Authenticator AAGUIDs are allowed.
  • The device can reach the required attestation services from Microsoft, Apple, or Google.

For a first lab test, you can temporarily disable attestation to reduce registration friction. For production administrator accounts, attestation is recommended for stronger assurance that the Passkey was created by the expected provider.

User is blocked as risky

If the user receives a message stating the account is blocked due to suspicious activity, this usually relates to Microsoft Entra ID Protection, not the Passkey profile itself.

Use another admin account or emergency access account and go to Microsoft Entra admin center:

  • → Identity Protection
  • → Risky users

Review the risk detections. If the activity is legitimate, follow your internal process to dismiss the risk or confirm the user as safe. If you are unsure, treat the account as potentially compromised, reset the password, revoke sessions, and investigate the sign-in activity.

Existing “Require MFA for all users” policy is already applied

Many tenants already have a baseline Conditional Access policy such as Require MFA for all users. This can remain enabled. It is not the same as the new phishing-resistant MFA policy. The baseline policy requires standard MFA. The new policy requires:

  • Authentication strength → Phishing-resistant MFA

A Microsoft Authenticator Passkey should satisfy both requirements. A standard push notification may satisfy only classic MFA, but not the phishing-resistant MFA policy.

In Conclusion

Microsoft Authenticator Passkeys are an important step toward phishing-resistant and passwordless authentication in Microsoft Entra ID.

With Microsoft moving toward system-preferred authentication and passkey profiles, organizations should not wait for the default experience to change unexpectedly. Instead, administrators should take control of the rollout by defining a clear passkey profile strategy, starting with privileged accounts, validating the sign-in experience, and then expanding to all users.

In this article, we looked at how to:

  • Prepare emergency access accounts
  • Create an admin pilot group
  • Configure a strict Microsoft Authenticator Passkey profile
  • Enable Microsoft Authenticator Passkey registration
  • Create a Conditional Access policy requiring phishing-resistant MFA
  • Test the policy in Report-only mode
  • Enable and validate the policy
  • Plan the rollout to all users

That’s it; there you have it. You now have a practical step-by-step approach to enable and roll out Microsoft Authenticator Passkeys in Microsoft Entra ID.

Remember, you can always support us in developing tools and creating content via Why Contribute? – Charbelnemnom.com Cloud & Cybersecurity

__
Thank you for reading our blog.

Please let us know in the comments section below if you have any questions or feedback.

-Charbel Nemnom-

Previous

Successfully Completed the VirtualMetric DataStream Training

Let us know what you think, or ask a question...