Microsoft Entra ID: Auto-enabling passkey profiles

Starting March 2026, Microsoft Entra ID will auto-enable passkey profiles with a new passkeyType property for device-bound and synced passkeys. Tenants not opting in will be migrated automatically, with existing settings preserved. Microsoft-managed registration campaigns will update targeting to passkeys. Preparation and configuration before rollout are recommended. Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property. The passkeyType property enables admins to configure: Device-bound passkeys Synced passkeys Both If a tenant does not opt in to passkey profiles during the initial rollout window, the new schema will be automatically enabled at the date range specified below. When this occurs:  Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile.  The passkeyType value will be set based on the tenant’s current attestation settings. For tenants that have synced passkeys enabled, Microsoft-managed registration campaigns will update to target passkeys. When this will happen General Availability (Worldwide): Rollout begins in early March 2026 and is expected to complete by late March 2026. Automatic enablement for tenants that have not yet opted in (Worldwide): Rollout begins in early April 2026 and is expected to complete by late May 2026. General Availability (GCC, GCC High, and DoD): Rollout begins in early April 2026 and is expected to complete by late April 2026. Automatic enablement for tenants that have not yet opted in (GCC, GCC High, and DoD): Rollout begins in early June 2026 and is expected to complete by late June 2026.  How this affects your organization Who is affected: All Microsoft Entra ID tenants What will happen: If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles. Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile New passkeyType property will be auto-populated If enforce attestation is enabled, then device-bound allowed If enforce attestation is disabled, then device-bound and synced allowed Any existing […]

The post Microsoft Entra ID: Auto-enabling passkey profiles appeared first on M365 Admin.