Starting March 2026, Microsoft Entra ID will automatically enable passkey profiles and introduce support for synced passkeys.
Passkey profiles move into general availability
The update brings passkey profiles and synced passkeys into general availability. Administrators gain access to a new passkey profiles experience that supports group-based configuration. This allows security teams to apply passkey policies to specific user groups instead of managing settings at a tenant-wide level.
At the center of the change is a new property called passkeyType. This setting lets administrators define which types of passkeys users can register. Options include device-bound passkeys, synced passkeys, or a combination of both. The setting applies at the passkey profile level, giving organizations more control over how passkeys are used within their environments.
Automatic migration for tenants that do not opt in
Microsoft plans a staged rollout. Organizations can opt in to the new passkey profiles experience during the initial rollout window. Tenants that do not opt in will move to the new schema automatically during a later migration period.
When the automatic migration takes place, existing FIDO2 passkey authentication method settings will move into a default passkey profile. The passkeyType value for that profile will be set based on the tenant’s current attestation configuration.
Tenants that already allow synced passkeys will also see changes to Microsoft-managed registration campaigns. These campaigns will update their targeting to include passkeys as part of the registration flow.
Microsoft has not indicated that administrators need to take immediate action. Organizations can review their current FIDO2 and passkey settings ahead of the March 2026 timeline and decide whether to opt in early or allow the automatic transition to proceed.