check before: 2025-11-01
Product:
Entra, Microsoft 365 admin center, Microsoft Graph
Platform:
Developer, Online, US Instances, Web, World tenant
Status:
Change type:
Admin impact, Feature update, Retirement, Updated message, User impact
Links:
Details:
Summary:
In November 2025, Microsoft Entra ID will preview passkey profiles in the authentication methods policy, enabling group-based passkey controls and new API schema. Rollout occurs worldwide early November and GCC mid-November. No admin action is needed before rollout; admins should review configurations and update documentation.
Details:
Updated November 5, 2025: We have updated the timeline for Preview and the content below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes.
[When this will happen:]
Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025 (previously early December).
Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-06-18
updated:
2025-11-06
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Method Changes
Users may face issues with authentication if their current security keys are not compatible with the new passkey profiles, leading to potential access problems.
- roles: End Users, IT Support
- references: https://learn.microsoft.com/entra/identity/authentication/concept-fido2-hardware-vendor#attestation-requirements
User Experience Disruption
The introduction of group-based passkey controls may confuse users if they are not informed about the changes, leading to frustration and decreased productivity.
- roles: End Users, System Administrators
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-enable-passkey-fido2
Documentation and Training Gaps
Without prior preparation, existing documentation may become outdated, causing users to rely on incorrect information regarding the new authentication methods.
- roles: IT Support, Training Coordinators
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-enable-passkey-fido2
Increased Support Tickets
The rollout may lead to an increase in support tickets related to authentication issues, overwhelming the IT support team if they are not prepared.
- roles: IT Support, Help Desk Staff
- references: https://learn.microsoft.com/entra/identity/authentication/concept-fido2-hardware-vendor#attestation-requirements
Security Compliance Risks
If the new passkey configurations are not properly reviewed, there may be compliance risks associated with the use of unapproved security keys.
- roles: Compliance Officers, IT Security
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-enable-passkey-fido2
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-11-06 | MC Messages | Updated October 20, 2025: We have updated the rollout timelines and content below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes. [When this will happen:] Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by early December 2025. Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025. | Updated November 5, 2025: We have updated the timeline for Preview and the content below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes. [When this will happen:] Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025 (previously early December). Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025. |
| 2025-11-06 | MC How Affect | After this rollout, you'll be able to apply different passkey configurations per user group. For example, you will be able to:
Allow the use of specific FIDO2 security key models for user group A Allow the use of passkeys in Microsoft Authenticator for user group B Important: If your organization opts-in to the new admin UX and modifies the Default passkey profile, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability. These new settings will be available at Microsoft 365 admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings: As part of this update in November 2025, if Enforce attestation is disabled, we will start accepting security key or passkey providers using the following attestation statements: "none" "tpm" "packed" (AttCA type only) Custom attestation formats ≤ 32 characters This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, refer to Microsoft Entra ID attestation for FIDO2 security key vendors | After this rollout, you'll be able to apply different passkey configurations per user group. For example, you will be able to:
Allow the use of specific FIDO2 security key models for user group A Allow the use of passkeys in Microsoft Authenticator for user group B Important: If your organization opts-in to the new admin UX, a Default passkey profile will automatically be populated with your existing policy configurations. Once you modify and save the Default passkey profile, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability. These new settings will be available at Entra admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings: As part of this update in November 2025, if Enforce attestation is disabled, we will start accepting security key or passkey providers using the following attestation statements: "none" "tpm" "packed" (AttCA type only) Custom attestation formats ≤ 32 characters "packed" (self) should be deployed from early January 2026 to early February 2026 This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, refer to Microsoft Entra ID attestation for FIDO2 security key vendors |
| 2025-11-06 | MC Last Updated | 10/20/2025 17:40:54 | 2025-11-06T00:44:51Z |
| 2025-11-06 | MC Summary | In November 2025, Microsoft Entra ID will support passkey profiles in public preview, enabling group-based passkey configurations and new API schema changes. Rollout occurs worldwide early November to December, with GCC regions mid-November to mid-December. No admin action is needed before rollout. | In November 2025, Microsoft Entra ID will preview passkey profiles in the authentication methods policy, enabling group-based passkey controls and new API schema. Rollout occurs worldwide early November and GCC mid-November. No admin action is needed before rollout; admins should review configurations and update documentation. |
| 2025-10-21 | MC Messages | Updated October 15, 2025: We have updated the rollout timelines below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes. [When this will happen:] Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by early December 2025. Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025. | Updated October 20, 2025: We have updated the rollout timelines and content below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes. [When this will happen:] Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by early December 2025. Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025. |
| 2025-10-21 | MC How Affect | After this rollout, you'll be able to apply different passkey configurations per user group. For example, you will be able to:
Allow the use of specific FIDO2 security key models for user group A Allow the use of passkeys in Microsoft Authenticator for user group B Important: If your organization modifies the passkey policy via the Microsoft Azure or Entra portal during preview, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability. These new settings will be available at Microsoft 365 admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings: As part of this update in November 2025, we will start accepting any WebAuthn-compliant security key or passkey provider when Enforce attestation is disabled. This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, refer to Microsoft Entra ID attestation for FIDO2 security key vendors | After this rollout, you'll be able to apply different passkey configurations per user group. For example, you will be able to:
Allow the use of specific FIDO2 security key models for user group A Allow the use of passkeys in Microsoft Authenticator for user group B Important: If your organization opts-in to the new admin UX and modifies the Default passkey profile, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability. These new settings will be available at Microsoft 365 admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings: As part of this update in November 2025, if Enforce attestation is disabled, we will start accepting security key or passkey providers using the following attestation statements: "none" "tpm" "packed" (AttCA type only) Custom attestation formats ≤ 32 characters This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, refer to Microsoft Entra ID attestation for FIDO2 security key vendors |
| 2025-10-21 | MC Last Updated | 10/15/2025 20:11:40 | 2025-10-20T17:40:54Z |
| 2025-10-21 | MC prepare | This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to review your current passkey configuration, notify your admins about this change, and update internal documentation.
Learn more about passkeys in Microsoft Entra ID: Enable passkeys for your organization - Microsoft Entra ID | Microsoft Learn (will be updated before rollout) https://learn.microsoft.com/entra/identity/authentication/concept-fido2-hardware-vendor#attestation-requirements https://learn.microsoft.com/entra/identity/authentication/how-to-enable-passkey-fido2 https://www.w3.org/TR/webauthn-2/#sctn-defined-attestation-formats | This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to review your current passkey configuration, notify your admins about this change, and update internal documentation.
Learn more about passkeys in Microsoft Entra ID: Enable passkeys for your organization - Microsoft Entra ID | Microsoft Learn (will be updated before rollout) https://learn.microsoft.com/entra/identity/authentication/concept-fido2-hardware-vendor#attestation-requirements https://learn.microsoft.com/entra/identity/authentication/how-to-enable-passkey-fido2 |
| 2025-10-21 | MC Summary | In November 2025, Microsoft Entra ID will support passkey profiles in public preview, enabling group-based passkey configurations and new API schema changes. Rollout occurs worldwide early November to December and mid-November to mid-December for GCC environments. No admin action is needed before rollout. | In November 2025, Microsoft Entra ID will support passkey profiles in public preview, enabling group-based passkey configurations and new API schema changes. Rollout occurs worldwide early November to December, with GCC regions mid-November to mid-December. No admin action is needed before rollout. |
| 2025-10-15 | MC Messages | In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes.
[When this will happen:] Public Preview (Worldwide, GCC, GCC High, DoD): We will begin rolling out mid-October 2025 and expect to complete by mid-November 2025. We will update this message when the plan for General Availability is finalized. | Updated October 15, 2025: We have updated the rollout timelines below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes. [When this will happen:] Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by early December 2025. Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025. |
| 2025-10-15 | MC Title | Microsoft Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) | (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) |
| 2025-10-15 | MC Last Updated | 06/18/2025 00:19:42 | 2025-10-15T20:11:40Z |
| 2025-10-15 | MC MessageTagNames | Feature update, User impact, Admin impact, Retirement | Updated message, Feature update, User impact, Admin impact, Retirement |
| 2025-10-15 | MC Summary | In November 2025, Microsoft Entra ID will expand the passkey (FIDO2) authentication methods policy to support passkey profiles in public preview, allowing group-based control over configurations. The rollout will start mid-October 2025 and complete by mid-November 2025. No admin action is required before the rollout. | In November 2025, Microsoft Entra ID will support passkey profiles in public preview, enabling group-based passkey configurations and new API schema changes. Rollout occurs worldwide early November to December and mid-November to mid-December for GCC environments. No admin action is needed before rollout. |
Last updated 4 weeks ago ago
