Entra Passkey Rollout Guide

Key insights

• Entra registration campaigns now nudge users to register Passkeys (FIDO2) as well as Microsoft Authenticator.
  These sign-in prompts encourage stronger, phishing-resistant authentication during the normal login flow.
• General availability (April–May 2026) began in early April and completes by late May 2026, with a phased rollout across global and special cloud tenants.
  Organizations should expect staged availability depending on their cloud environment.
• Microsoft-managed mode can perform an automatic method switch from Authenticator to passkeys at sign-in after a user completes MFA.
  This lets the campaign present a passkey registration nudge without manual targeting changes.
• Authentication methods policy must enable Passkeys and users must be MFA-capable and in scope for Passkeys (FIDO2).
  Also ensure Allow self-service setup for Passkeys is enabled so the nudge appears.
• Snooze policy changes make Microsoft-managed campaigns less configurable: snoozes are fixed to 1 day and the previous limited-snooze option is removed.
  Admins will have fewer controls once passkey behavior is active.
• Practical benefit: campaigns help organizations adopt phishing-resistant credentials at scale by guiding users to passkeys and by using new passkey profiles and automatic enablement features.
  This reduces the need for separate rollout projects to move users away from weaker methods.

Keywords

Entra passkey, Passkey registration, Microsoft Entra passkeys, Passkey rollout campaign, Passwordless authentication Entra, Entra passkey deployment, Passkey enrollment guide, Entra ID passkey setup