Services
Summary
Microsoft Entra passkeys on Windows enable phishing-resistant, passwordless sign-in using Windows Hello on Entra-protected resources, including unmanaged devices. Public preview starts mid-March 2026. Organizations must opt in and configure policies to enable this feature; no impact occurs without activation.
Details
Introduction
We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). It also expands passwordless authentication to Windows devices that aren’t Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords.
When this will happen
- Public preview: Rolling out from mid-March 2026 through late April 2026
- General Availability
- Worldwide: Mid‑March 2026 to mid‑April 2026
- GCC: Mid-April 2026 to mid-May 2026
- GCC High: Mid-April 2026 to mid-May2026
- DoD: Mid-April 2026 to Mid-May 2026
How this affects your organization
Who is affected
- Organizations using Microsoft Entra ID whose users sign in from Windows devices, including corporate‑managed, personal, and shared PCs.
What will happen
- There is no impact to your organization unless you opt in.
- Microsoft Entra passkeys on Windows will be available as a phishing‑resistant, passwordless sign‑in option for Entra‑protected cloud resources.
- Users will authenticate with Windows Hello (face, fingerprint, or PIN).
- Users can use passkeys on Windows devices that are not Entra‑joined or registered, enabling use on personal, shared, and unmanaged PCs.
- Users can sign-in to multiple Entra accounts on the same Windows device, with each account registering its own passkey.
- Passkeys on Windows are device‑bound and do not sync across devices; each device requires separate registration per Entra account.
- Windows Hello for Business remains recommended for managed, Entra‑joined or registered devices; passkeys supplement unmanaged device scenarios and do not support device sign‑in.
- Existing Conditional Access and authentication strength policies continue to apply with no required configuration changes unless you choose to enable passkeys.
- Users can’t register a passkey on Windows if a Windows Hello for Business credential already exists for the same account and container. This block may not apply once the user exceeds 50 total credentials across passkeys (FIDO2), Windows Hello for Business, and Mac Platform Credentials. Â
What you can do to prepare
If you want to enable Entra passkeys on Windows during public preview:
- Enable the Passkeys (FIDO2) authentication method in Authentication Methods policies.
- Create a passkey profile and configure:
- Attestation enforcement: Disabled
- Key restrictions: Enabled
- Allowed AAGUIDs (required during preview):
- Windows Hello Hardware Authenticator:
08987058-cadc-4b81-b6e1-30de50dcbe96 - Windows Hello VBS Hardware Authenticator:
9ddd1817-af5a-4672-a2b9-3e3dd95000a9 - Windows Hello Software Authenticator:
6028b017-b1d4-4c02-b4b3-afcdafc96bb2 - Note: During Public Preview, you must explicitly add these Windows Hello AAGUIDs to the allowed list.
- Windows Hello Hardware Authenticator:
- Assign the passkey profile to appropriate groups.
- Validate Conditional Access and authentication strengths policies to ensure they support passkey authentication.
- Communicate with pilot users about supported scenarios and enrollment steps.
- Update internal documentation if your organization tracks approved authentication methods.
If you do not plan to participate in the public preview, no action is required.
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.