*
en | de
Pro User
Timespan
explore our new search
Microsoft Passkeys: Admin Action Needed
Identity
Feb 17, 2026 12:10 AM

Microsoft Passkeys: Admin Action Needed

by HubSite 365 about Merill Fernando

Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of cmd.ms & idPowerToys.com

Pro UserIdentityLearning Selection

Entra ID auto enabling passkeys forces admins to update Conditional Access, disable apps and harden Entra Connect

Key insights

  • Auto-enabling passkeys and passkey profiles: Microsoft will begin a phased rollout in March 2026 that automatically enables passkey profiles in Entra ID for tenants that do not opt in first.
    Admins who do not configure profiles will have existing FIDO2 settings migrated to a default passkey profile.

  • passkeyType, device-bound vs synced passkeys: The new passkeyType setting controls whether profiles allow only device-bound keys (no sync/export) or also allow synced passkeys across devices.
    Choose device-bound for stronger phishing resistance; choose synced for cross-device convenience.

  • FIDO2 and attestation mapping: Microsoft will convert current FIDO2 configurations into passkey profiles.
    If attestation enforcement is on, tenants typically become device-bound only; if off, profiles may allow both device-bound and synced passkeys.

  • Conditional Access and deactivate app registration: Expect conditional access behavior changes, including tighter enforcement for policies with resource exclusions.
    App registration deactivation is now available and can be an important incident-response tool—review app controls and exclusions before migration.

  • Entra Connect security hardening and source of authority conversion: Apply Entra Connect hardening and enable hard-match protections to reduce sync-related takeover risks.
    Use the new source-of-authority conversion option carefully when moving synced on-prem accounts to cloud authority.

  • Recommended actions and monitor audit logs: Opt in early, create targeted passkey profiles for groups, set the desired passkeyType, and test sign-in flows.
    Update incident plans, communicate changes to users, and monitor service principal and authentication logs after any change.

Overview of the YouTube briefing

In a recent YouTube episode produced by Merill Fernando, Microsoft’s upcoming change to automatically enable passkey profiles in Microsoft Entra ID starting March 2026 takes center stage. The video features Microsoft MVPs Daniel Bradley and Ewelina Paczkowska, who walk viewers through the practical and technical implications for administrators. They explain how unattended migrations could alter current authentication setups and registration campaigns, and they highlight new controls that admins must understand before the rollout. Consequently, the episode serves as both a warning and a how-to guide for IT teams preparing for the change.

What administrators must do now

First, administrators should inventory existing FIDO2 configurations and active registration campaigns, because Microsoft will convert those settings into a default passkey profile if a tenant does not opt in. Next, teams should decide which users or groups should receive early pilot profiles and configure the new passkeyType setting to limit or allow device-bound passkeys and synced passkeys. Additionally, it is important to review Conditional Access policies, since enforcement behavior and resource exclusions may change after passkeys are auto-enabled. Therefore, testing in a controlled pilot group will reduce surprises when the wider migration begins.

Key technical details explained

The video breaks down how passkey profiles replace tenant-wide FIDO2 settings with group-targeted authentication methods, giving admins finer control over who can use which passkey type. Under the hood, passkeys rely on FIDO2/WebAuthn standards, so private keys remain on devices while public keys register with the service, and attestation settings determine whether only device-bound keys are permitted. Moreover, Microsoft’s support for cloud-synced passkeys introduces convenience, but it also raises questions about cross-device key management and backup strategies. Thus, administrators must balance these options based on security posture and user needs.

Tradeoffs and operational challenges

Adopting device-bound passkeys increases security because keys cannot be exported or synced, which reduces phishing and account takeover risks; however, this approach can hinder users who need seamless access across multiple devices. In contrast, synced passkeys improve user convenience by allowing cross-device sign-in, yet they require strong cloud protections and increased monitoring to prevent broader exposure. Furthermore, the automatic nature of Microsoft’s migration creates an operational challenge: without timely configuration, admins may face changes to app registration behavior and registration campaigns that impact user sign-in flows. Consequently, teams need to weigh convenience against defense-in-depth and prepare incident response plans that reflect both scenarios.

Incident response and related changes

The YouTube discussion draws attention to features that affect incident response, including the ability to deactivate app registrations and the availability of more detailed service principal creation audit logs. These capabilities can substantially speed containment of compromised credentials or rogue app registrations, but they also require updated runbooks and alerting rules to leverage effectively. Additionally, the general availability of conversion for Source of Authority in hybrid environments and the strengthened sync hardening protections aim to reduce account takeover attacks, although converting authority can be complex in large or heavily customized directories. Therefore, security teams must plan carefully and validate their monitoring to ensure these protections work as intended.

Recommendations and next steps

As a practical next step, administrators should set up a pilot group to validate passkey behavior and adjust Conditional Access policies and registration campaigns before the tenant-wide migration. They should also enable and review service principal creation logs, update incident response playbooks to cover app registration deactivation, and document decisions about allowing synced passkeys versus enforcing device-bound passkeys. Finally, communicate changes clearly to end users and support teams so that enrollment and recovery processes remain smooth, because good communication will reduce helpdesk load and improve adoption. In summary, proactive preparation will let organizations gain the benefits of passwordless authentication while managing the tradeoffs and operational challenges the video highlights.

Identity - Microsoft Passkeys: Admin Action Needed

Keywords

Microsoft passkeys March 2026, Microsoft 365 admin passkeys, auto-enable passkeys Azure AD, passkeys rollout guidance, passwordless authentication Microsoft, Microsoft 365 security settings passkeys, admin steps enable passkeys, passkeys deployment checklist