MC1221452 - Microsoft Entra ID: Auto-enabling passkey profiles

Introduction

Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property.

The passkeyType property enables admins to configure:

Device-bound passkeys
Synced passkeys
Both

If a tenant does not opt in to passkey profiles during the initial rollout window, the new schema will be automatically enabled at the date range specified below. When this occurs:

Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile.
The passkeyType value will be set based on the tenantâ€™s current attestation settings.
For tenants that have synced passkeys enabled, Microsoft-managed registration campaigns will update to target passkeys.

When this will happen

General Availability (Worldwide): Rollout begins in early March 2026 and is expected to complete by late March 2026.
- Automatic enablement for tenants that have not yet opted in (Worldwide): Rollout begins in early April 2026 and is expected to complete by late May 2026.
General Availability (GCC, GCC High, and DoD): Rollout begins in early April 2026 and is expected to complete by late April 2026.
- Automatic enablement for tenants that have not yet opted in (GCC, GCC High, and DoD): Rollout begins in early June 2026 and is expected to complete by late June 2026.

How this affects your organization

Who is affected: All Microsoft Entra ID tenants

What will happen:

If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles.

Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile
New passkeyType property will be auto-populated
- If enforce attestation is enabled, then device-bound allowed
- If enforce attestation is disabled, then device-bound and synced allowed
Any existing key restrictions will remain intact
Any existing user targets will be assigned to the Default passkey profile

Registration Campaign behavior (Microsoft-managed campaigns only)

For tenants where synced passkeys are enabled, if your registration campaign is set to Microsoft-managed:
- The targeted authentication method will be updated from Microsoft Authenticator to passkeys.
- The default user targeting will be updated from voice call or text message users to all multifactor authentication (MFA) capable users.
- The settings Limited number of snoozes and Days allowed to snooze will no longer be configurable. These will be set to allow unlimited snoozes with a one-day reminder cadence.

What you can do to prepare

If you want a configuration different from the migration defaults, review the timeline above and opt in to passkey profiles before your tenantâ€™s automatic enablement window begins. Then configure the Default passkey profileâ€™s passkeyType to your preferred values.

We also recommend:

Review your registration campaign configuration, especially if its set to Microsoft-managed. If you want synced passkeys enabled in your tenant but do not want registration campaign to target passkeys, you can:
- Switch the registration campaign state to Enabled and continue targeting Microsoft Authenticator, or
- Set the registration campaign state to Disabled.
Update runbooks and help content so your help desk and end users understand any changes in passkey availability or behavior.

Learn more:

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.