Microsoft Entra ID to Extend Passkey (FIDO2) Authentication Methods to Support Public Preview

Microsoft is expanding the number of passkey authentication methods available in Microsoft Entra ID to improve its identity and access management features. 

The public preview rollout is scheduled to commence in mid-October 2025, with full deployment expected by mid-November 2025. 

This update will introduce granular, group-based control over passkey configurations, marking a substantial advancement in enterprise authentication security and flexibility.

The phased approach will cover all Microsoft environments, including Worldwide, Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) deployments. 

The automatic rollout requires no preliminary administrative action, ensuring seamless integration across existing Microsoft Entra ID infrastructures.

The expansion specifically targets the passkey (FIDO2) authentication methods policy, introducing support for passkey profiles that enable administrators to implement differentiated authentication strategies across user groups. 

This development represents a significant evolution from the current one-size-fits-all approach to a more nuanced, organization-specific authentication framework.

Enhanced Technical Capabilities and API Schema Changes

The public preview with message “MC1097225” introduces sophisticated group-based passkey configuration management, allowing administrators to apply distinct authentication policies to different user cohorts. 

Organizations will gain the ability to specify particular FIDO2 security key models for designated user groups while simultaneously enabling Microsoft Authenticator passkeys for alternative user segments.

A critical technical enhancement involves the expansion of WebAuthn-compliant security key acceptance when the “Enforce attestation” setting is disabled. 

This modification broadens the ecosystem of supported security keys and passkey providers, increasing interoperability and vendor choice for organizations implementing FIDO2 authentication protocols.

The update introduces new API schema changes that will take effect when organizations modify passkey policies through the Microsoft Azure or Entra portal during the preview period. 

However, organizations continuing to utilize Graph API or third-party management tools will experience schema changes only upon General Availability release.

Implementation and Administrative Configuration

The new passkey profile settings will be accessible through the Microsoft 365 admin center navigation path: Home > Security > Authentication methods > Passkey (FIDO2) settings. 

This centralized management interface will provide administrators with comprehensive control over WebAuthn authentication parameters and FIDO2 security key attestation requirements.

Organizations should proactively review their current passkey configurations and prepare internal documentation updates to accommodate the enhanced functionality. 

While no immediate administrative intervention is required, IT teams are advised to notify relevant stakeholders about the impending changes and assess how group-based passkey policies might optimize their authentication security posture.

The expansion aligns with Microsoft’s broader commitment to passwordless authentication strategies, leveraging FIDO Alliance standards to enhance security while maintaining user experience simplicity. 

As the preview progresses toward General Availability, organizations will benefit from increased authentication flexibility and improved security key vendor diversity within their Microsoft Entra ID environments.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar