Microsoft Entra passkeys on Windows now support phishing-resistant sign-in

Microsoft Entra passkeys on Windows enable phishing-resistant, passwordless sign-in using Windows Hello on Entra-protected resources, including unmanaged devices. Public preview starts mid-March 2026. Organizations must opt in and configure policies to enable this feature; no impact occurs without activation. We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). It also expands passwordless authentication to Windows devices that aren’t Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords. When this will happen Public preview: Rolling out from mid-March 2026 through late April 2026 General Availability Worldwide: Mid‑March 2026 to mid‑April 2026 GCC: Mid-April 2026 to mid-May 2026 GCC High: Mid-April 2026 to mid-May2026 DoD: Mid-April 2026 to Mid-May 2026 How this affects your organization Who is affected Organizations using Microsoft Entra ID whose users sign in from Windows devices, including corporate‑managed, personal, and shared PCs. What will happen There is no impact to your organization unless you opt in. Microsoft Entra passkeys on Windows will be available as a phishing‑resistant, passwordless sign‑in option for Entra‑protected cloud resources. Users will authenticate with Windows Hello (face, fingerprint, or PIN). Users can use passkeys on Windows devices that are not Entra‑joined or registered, enabling use on personal, shared, and unmanaged PCs. Users can sign-in to multiple Entra accounts on the same Windows device, with each account registering its own passkey. Passkeys on Windows are device‑bound and do not sync across devices; each device requires separate registration per Entra account. Windows Hello for Business remains recommended for managed, Entra‑joined or registered devices; passkeys supplement unmanaged device scenarios and do not support device sign‑in. Existing Conditional Access and authentication strength policies continue to apply with no required configuration changes unless you choose to enable passkeys. Users can’t register a passkey on Windows if a Windows Hello for Business credential already exists for the same account and container. This block may not apply once the user exceeds 50 total credentials across passkeys (FIDO2), Windows Hello […]

The post Microsoft Entra passkeys on Windows now support phishing-resistant sign-in appeared first on M365 Admin.