Microsoft Entra ID will start auto-enabling passkey profiles and adding support for synced passkeys from March 2026. This major update will transition the service to a new schema that includes a dedicated property for managing different passkey types. Organizations that don’t manually opt in to the new experience will be automatically migrated to the passkey profile system. During this switch, existing FIDO2 authentication configurations will be moved into a new default profile, ensuring service continuity.
This update will introduce a passkeyType property that allows admins to specifically allow device-bound passkeys, synced passkeys, or both. This granular control will help to support group-based configuration rather than applying a single policy to the entire tenant. The Redmond Giant said that tenants enforcing attestation will default to device-bound passkeys, while those without enforcement will allow both types. If you have any existing key restrictions in place or user targets, they will remain intact during the transition to the new default profile.
Microsoft-managed registration campaigns will shift their focus from Microsoft Authenticator to passkey for tenants where synced passkeys are enabled. This also expands the default target audience for these campaigns to include all users capable of multi-factor authentication. The change will also see admin control over registration prompts become more simplified thanks to the removal of the “limited number of snoozes” and “days allowed to snooze” configuration settings. Instead, there will be a move to a standard model that allows unlimited snoozes with a one-day reminder frequency.
This move aligns with a broader trend in the industry to move away from passwords to passkeys which can be more secure because you do not reuse them across websites like passwords and are phishing resistant. We are seeing them get switched on across consumer ecosystems as an alternative to passwords, rather than a complete replacement. Microsoft is making these changes to give enterprises more flexible deployment options, replacing older FIDO2 management with a more scalable profile-based architecture.
The General Availability global rollout will begin in early March 2026. Automatic enablement for non-opted-in tenants is also scheduled to begin in April 2026. Government cloud environments such as GCC, GCC High, and DoD, will follow a delayed schedule with automatic migration happening in June 2026. You can find out more information on the Microsoft Admin Center via Message ID MC1221452.