Services
Summary
Starting April 2026, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method, enabling phishing-resistant credentials. Eligible Microsoft 365 tenants can opt users into Passkey registration nudges during sign-in. Changes will roll out gradually, affecting MFA-capable users with specific policy settings.
Details
Introduction
As previously announced in MC1221452, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method starting in early April 2026. This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.
When this will happenÂ
General Availability (Worldwide): We will begin rolling out in early April 2026 and expect to complete in late May 2026.
How this affects your organization
Who is affected
- Microsoft 365 tenants using Microsoft Registration Campaigns
- Tenants configured in either Microsoft‑managed or Enabled states
- Users who are MFA‑capable and eligible for Passkeys (FIDO2)
What will happen
Microsoft‑managed state
Your tenant will be impacted when all of the following conditions are met:
- The Passkeys (FIDO2) authentication method policy is enabled.
- Allow self‑service setup is enabled.
- Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
- The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
When these conditions are met, the following settings will update automatically:
- The targeted authentication method will change from Microsoft Authenticator to Passkeys (FIDO2).
- Days allowed to snooze will change from three days to one day. (This setting will no longer be configurable.)
- Limit number of snoozes will be disabled. (This setting will no longer be configurable.)
- Targeting will expand to all MFA‑capable users. (This setting will no longer be configurable.)
- Default user targeting will change from voice call or text message users to all multifactor authentication (MFA)–capable users.
Affected users will receive Passkey registration nudges at sign‑in after completing MFA.
We will roll out these changes incrementally over time to in‑scope tenants.
Enabled state
Passkey (FIDO2) can be selected as the Targeted Authentication Method when Microsoft Registration Campaigns are in the Enabled state.Â
Note: Registration Campaigns support targeting only one authentication method at a time—either Microsoft Authenticator or Passkeys (FIDO2), but not both simultaneously.
What you can do to prepare
Opting into Passkey Registration Nudges:
You can opt into Passkeys and switch your users to receive a Passkey registration nudge. However, the nudge will only appear for the user if all of the following conditions are met:Â
- The user is MFA‑capable
- They have at least one registered MFA method
- They can successfully complete MFA at sign‑in
- Under Authentication methods > Policies, the user is in scope for Passkeys (FIDO2)
- Under Authentication methods > Policies > Passkeys (FIDO2) > Configure, make sure you have Allow self-service set up checked.Â
Important Guidance:
Microsoft Managed State:We will roll out these changes incrementally to in-scope tenants starting in early April. This rollout will take time, and even if your tenant meets the eligibility criteria, you may not see the changes immediately.Â
Enabled StateÂ
Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for every edge‑case scenario, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, AAGUID restrictions), the registration experience triggered by the nudge may not be optimal. Â
Using Passkeys Despite Restrictions
You can still set Passkeys as the target authentication method in Microsoft Registration Campaigns. However, users may encounter a poor or confusing experience if they have passkey profile restrictions.
Example:Â
If a user is scoped into specific AAGUID synced passkeys only, they may see a Passkey nudge at sign‑in. If they attempt to register a device‑bound passkey, the registration will fail because they are not in scope for that passkey type.Â
Recommended next steps
- Review your Registration Campaign state by early April 2026.
- Communicate this change to helpdesk or support teams.
- Update internal documentation on authentication method enrollment.
- If you prefer to continue targeting Microsoft Authenticator, verify this configuration before rollout.