Platform, Security, Workplace
How to master Azure Firewall, Private Endpoints and DNS
A blog website to…
Build. Secure. Automate.
Microsoft Entra ID Now GA: Passkey Profiles & Synced Passkeys for more flexible password‑less security
06/03/2026
Microsoft Entra ID Now GA: Passkey Profiles & Synced Passkeys for more flexible password‑less security
Microsoft has officially announced the General Availability (GA) of passkey profiles and synced passkeys for Microsoft Entra ID, starting in March 2026. This update, detailed in Message Center post MC1221452, introduces a new, more flexible framework for managing FIDO2 authentication, but it also comes with specific changes and an automatic migration process that all current Passkey (FIDO2) tenants need to understand.
What is Changing?
For tenants that already have Passkeys (FIDO2) enabled, Microsoft is migrating the existing, flat configuration to a new schema based on passkey profiles. The core of this change is the introduction of a new passkeyType property, which gives administrators granular control over which types of passkeys users can register.
The passkeyType property allows you to configure:
The Automatic Migration: What to Expect
If your tenant does not opt in to the new experience before the automatic migration window, Microsoft will migrate your settings. Here is exactly what will happen:
1) A “Default” Profile is Created: All your existing Passkey (FIDO2) configurations will be moved into a single, new Default passkey profile. Any user groups you previously targeted will now be assigned to this profile.
2) The passkeyType is Auto-Set: The value of this new property will be determined by your current attestation settings:
– If you currently have enforce attestation enabled, the passkeyType will be set to device-bound allowed.
– If you currently have enforce attestation disabled, the passkeyType will be set to device-bound and synced allowed.
3) Existing Key Restrictions Remain: Any custom key restrictions or authenticator allowlists you have configured will be preserved and moved into the new Default profile.
4) No New Methods Are Enabled: Crucially, this migration does not automatically enable any new authentication methods that were not already in use.
Impact on Microsoft-Managed Registration Campaigns
There is a significant change for tenants using Microsoft-managed registration campaigns.
Key Rollout Timeline
The rollout is staged to ensure a smooth transition:
Worldwide:
The rollout is staged to ensure a smooth transition:
GCC, GCC High, and DoD
How to Prepare
To ensure the final configuration matches your security requirements, Microsoft recommends the following steps before your tenant’s automatic migration window begins:
1) Opt In Early: Review the timeline and proactively opt in to the passkey profiles experience. This allows you to configure the settings manually rather than accepting the migration defaults.
2) Configure the passkeyType: Decide if your Default profile should allow only device-bound passkeys, only synced passkeys, or both, and set the value accordingly.
3) Review Registration Campaigns: If you use Microsoft-managed campaigns and do not want the campaign to target passkeys, you must take action. You can either:
– Switch the registration campaign state to “Enabled” and continue targeting Microsoft Authenticator manually, or
– Set the registration campaign state to “Disabled.”
4) Update Internal Documentation: Revise your help desk runbooks and end-user guides to reflect any changes in passkey availability or the registration experience.
Conclusion
The GA of passkey profiles represents a major step forward in making passwordless authentication both more secure and more usable.
