check before: 2026-03-01
Product:
Entra
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, New feature, Updated message, User impact
Links:
Details:
Summary:
Starting March 2026, Microsoft Entra ID will GA passkey profiles and synced passkeys for tenants with Passkeys (FIDO2) enabled. Existing configurations migrate to a Default passkey profile with a new passkeyType property. Automatic migration occurs April–May 2026 (worldwide) and June 2026 (GCC/DoD). Admins can opt in early to customize settings.
Details:
Updated March 2, 2026: We have updated the content. Thank you for your patience.
[Introduction]
Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property.
Important: Only tenants that already have Passkeys (FIDO2) enabled are affected by this update.
The passkeyType property enables admins to configure:
Device-bound passkeys
Synced passkeys
Both
If your tenant already has Passkeys (FIDO2) enabled and you do not opt in to passkey profiles during the initial rollout window, your tenant will be automatically migrated to the passkey profiles schema at the date range specified below. When this occurs:
Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile.
The passkeyType value will be set based on the tenant's current attestation settings.
For tenants that have synced passkeys enabled, Microsoft-managed registration campaigns will update to target passkeys.
No new authentication methods are enabled as part of this migration.
[When this will happen]
General Availability (Worldwide): Rollout begins in early March 2026 and is expected to complete by late March 2026.
Automatic migration for existing Passkeys (FIDO2) enabled tenants (Worldwide): Rollout begins in early April 2026 and is expected to complete by late May 2026.
General Availability (GCC, GCC High, and DoD): Rollout begins in early April 2026 and is expected to complete by late April 2026.
Automatic migration for existing Passkeys (FIDO2) enabled tenants (GCC, GCC High, and DoD): Rollout begins in early June 2026 and is expected to complete by late June 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-23
updated:
2026-03-03
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Starting in March 2026, Microsoft will introduce passkey profiles with features like "passkeyType" for more efficient and secure management of digital keys, automatically transitioning current setups unless organizations opt in early to customize their configurations.
Direct effects for Operations**
Migration to Default Passkey Profile
Existing Passkey (FIDO2) configurations will be automatically migrated to a Default passkey profile, potentially leading to confusion among users regarding authentication methods.
- roles: IT Administrators, End Users
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-authentication-passkey-profiles
Changes in Authentication Method Targeting
The default user targeting for registration campaigns will change, which may lead to unexpected authentication experiences for users if not communicated properly.
- roles: IT Administrators, End Users
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-mfa-registration-campaign
Configuration of Passkey Types
The automatic setting of the passkeyType property may not align with organizational security policies, leading to potential security risks.
- roles: IT Security Managers, IT Administrators
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-authentication-synced-passkeys
User Experience with Unlimited Snoozes
The change to unlimited snoozes for MFA reminders may lead to users delaying authentication, impacting security posture.
- roles: End Users, IT Security Managers
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-mfa-registration-campaign
Need for Updated Documentation
Failure to update runbooks and help content may result in increased support tickets and user frustration due to lack of understanding of new passkey behaviors.
- roles: Help Desk Staff, End Users
- references: https://learn.microsoft.com/entra/identity/authentication/how-to-authentication-passkey-profiles
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-03-03 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
| 2026-03-03 | MC Summary | Starting March 2026, Microsoft Entra ID will auto-enable passkey profiles with a new passkeyType property for device-bound and synced passkeys. Tenants not opting in will be migrated automatically, with existing settings preserved. Microsoft-managed registration campaigns will update targeting to passkeys. Preparation and configuration before rollout are recommended. | Starting March 2026, Microsoft Entra ID will GA passkey profiles and synced passkeys for tenants with Passkeys (FIDO2) enabled. Existing configurations migrate to a Default passkey profile with a new passkeyType property. Automatic migration occurs April–May 2026 (worldwide) and June 2026 (GCC/DoD). Admins can opt in early to customize settings. |
| 2026-03-03 | MC Last Updated | 01/23/2026 01:55:10 | 2026-03-02T19:05:11Z |
| 2026-03-03 | MC Messages | [Introduction]
Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property. The passkeyType property enables admins to configure: Device-bound passkeys Synced passkeys Both If a tenant does not opt in to passkey profiles during the initial rollout window, the new schema will be automatically enabled at the date range specified below. When this occurs: Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile. The passkeyType value will be set based on the tenant's current attestation settings. For tenants that have synced passkeys enabled, Microsoft-managed registration campaigns will update to target passkeys. [When this will happen] General Availability (Worldwide): Rollout begins in early March 2026 and is expected to complete by late March 2026. Automatic enablement for tenants that have not yet opted in (Worldwide): Rollout begins in early April 2026 and is expected to complete by late May 2026. General Availability (GCC, GCC High, and DoD): Rollout begins in early April 2026 and is expected to complete by late April 2026. Automatic enablement for tenants that have not yet opted in (GCC, GCC High, and DoD): Rollout begins in early June 2026 and is expected to complete by late June 2026. | Updated March 2, 2026: We have updated the content. Thank you for your patience.
[Introduction] Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property. Important: Only tenants that already have Passkeys (FIDO2) enabled are affected by this update. The passkeyType property enables admins to configure: Device-bound passkeys Synced passkeys Both If your tenant already has Passkeys (FIDO2) enabled and you do not opt in to passkey profiles during the initial rollout window, your tenant will be automatically migrated to the passkey profiles schema at the date range specified below. When this occurs: Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile. The passkeyType value will be set based on the tenant's current attestation settings. For tenants that have synced passkeys enabled, Microsoft-managed registration campaigns will update to target passkeys. No new authentication methods are enabled as part of this migration. [When this will happen] General Availability (Worldwide): Rollout begins in early March 2026 and is expected to complete by late March 2026. Automatic migration for existing Passkeys (FIDO2) enabled tenants (Worldwide): Rollout begins in early April 2026 and is expected to complete by late May 2026. General Availability (GCC, GCC High, and DoD): Rollout begins in early April 2026 and is expected to complete by late April 2026. Automatic migration for existing Passkeys (FIDO2) enabled tenants (GCC, GCC High, and DoD): Rollout begins in early June 2026 and is expected to complete by late June 2026. |
| 2026-03-03 | MC Title | Microsoft Entra ID: Auto-enabling passkey profiles | Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants |
| 2026-03-03 | MC How Affect | Who is affected: All Microsoft Entra ID tenants
What will happen: If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles. Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile New passkeyType property will be auto-populated If enforce attestation is enabled, then device-bound allowed If enforce attestation is disabled, then device-bound and synced allowed Any existing key restrictions will remain intact Any existing user targets will be assigned to the Default passkey profile [Registration Campaign behavior (Microsoft-managed campaigns only)] For tenants where synced passkeys are enabled, if your registration campaign is set to Microsoft-managed: The targeted authentication method will be updated from Microsoft Authenticator to passkeys. The default user targeting will be updated from voice call or text message users to all multifactor authentication (MFA) capable users. The settings Limited number of snoozes and Days allowed to snooze will no longer be configurable. These will be set to allow unlimited snoozes with a one-day reminder cadence. | Who is affected: Microsoft Entra ID tenants with Passkeys (FIDO2) enabled
What will happen: If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles. Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile New passkeyType property will be auto-populated If enforce attestation is enabled, then device-bound allowed If enforce attestation is disabled, then device-bound and synced allowed Any existing key restrictions will remain intact Any existing user targets will be assigned to the Default passkey profile [Registration Campaign behavior (Microsoft-managed campaigns only)] For tenants where synced passkeys are enabled, if your registration campaign is set to Microsoft-managed: The targeted authentication method will be updated from Microsoft Authenticator to passkeys. The default user targeting will be updated from voice call or text message users to all multifactor authentication (MFA) capable users. The settings Limited number of snoozes and Days allowed to snooze will no longer be configurable. These will be set to allow unlimited snoozes with a one-day reminder cadence. |
Last updated 2 weeks ago ago
