Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy

Introduction

Starting October 2027 and ending November 2027, we will retire the isAttestationEnforced and keyRestrictionsproperties from the existing fido2AuthenticationMethodConfiguration API schema. This change aligns with the latest update to the passkey policy API schema, which introduces support for granular group-based configurations with passkey profiles.

During the retirement period, isAttestationEnforced and keyRestrictions will remain in sync with their counterparts attestationEnforcement and keyRestrictions within the Default passkey profile.

When this will happen 

Retirement begins in mid-October 2027 and is expected to complete by early November 2027.

How this affects your organization:

You are receiving this message because our reporting indicates your organization may be using this feature.

Who is affected: Admins managing FIDO2 authentication configurations and any custom automations or third-party integrations using these properties.

What will happen

• isAttestationEnforced and keyRestrictions properties will be retired.
• New properties are available in the updated passkey policy API schema.
• Existing properties will sync with new ones during the transition period.
• Automations or integrations using retired properties will stop working after the change.

What you can do to prepare

• Review your current configuration.
• Update any custom automations and third-party integrations to support the new schema.
• Notify your admins and update internal documentation.

Screenshot - The read arrows indicate the properties to be retired:

Learn more: fido2AuthenticationMethodConfiguration resource type | Microsoft Graph | Microsoft Learn

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.