MC690185 – (Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business) (archived)

cloudscout.one Icon

*For this entry exists the more relevant or more recent entry MC718260

check before: 2023-11-30

Product:

Entra, Entra ID, Microsoft 365 Apps

Platform:

mobile, World tenant

Status:

Launched

Change type:

Admin impact, New feature, Updated message, User impact

Links:

MC718260

Details:

Summary:
Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys, beginning mid-March 2024. Admins will need to enforce key restrictions to allow specified passkey providers in their FIDO2 policy. The end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to "Face, fingerprint, PIN, or security key" and the term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.

Details:
Updated February 19, 2024: We have updated the rollout timeline below. Thank you for your patience.
Beginning mid-March 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.

Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.


End User Registration Experience
In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.


*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience

The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Text displayed to users today:
“Sign in with Windows Hello or security key”
"Sign in with a security key”
"Signing in with Windows Hello or security key"
Text displayed to users in January 2024:
“Face, fingerprint, PIN, or security key”
"Signing in with a passkey"

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2023-11-16

updated:
2024-02-20

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.


changes*

DatePropertyoldnew
2024-02-20MC Last Updated01/09/2024 20:18:232024-02-19T22:05:27Z
2024-02-20MC MessagesUpdated January 9, 2024: We have updated the rollout timeline below. Thank you for your patience.
Beginning mid-February 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.

Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.


End User Registration Experience
In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.


*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience

The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Text displayed to users today:
“Sign in with Windows Hello or security key”
"Sign in with a security key”
"Signing in with Windows Hello or security key"
Text displayed to users in January 2024:
“Face, fingerprint, PIN, or security key”
"Signing in with a passkey"
Updated February 19, 2024: We have updated the rollout timeline below. Thank you for your patience.
Beginning mid-March 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.

Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.


End User Registration Experience
In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.


*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience

The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Text displayed to users today:
“Sign in with Windows Hello or security key”
"Sign in with a security key”
"Signing in with Windows Hello or security key"
Text displayed to users in January 2024:
“Face, fingerprint, PIN, or security key”
"Signing in with a passkey"
2024-02-20MC End Time04/01/2024 09:00:002024-05-27T09:00:00Z
2024-02-20MC SummaryMicrosoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys, beginning mid-March 2024. Admins will need to enforce key restrictions to allow specified passkey providers in their FIDO2 policy. The end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to "Face, fingerprint, PIN, or security key" and the term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
2024-01-10MC MessagesBeginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.

Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.


End User Registration Experience
In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.


*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience

The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Text displayed to users today:
“Sign in with Windows Hello or security key”
"Sign in with a security key”
"Signing in with Windows Hello or security key"
Text displayed to users in January 2024:
“Face, fingerprint, PIN, or security key”
"Signing in with a passkey"
Updated January 9, 2024: We have updated the rollout timeline below. Thank you for your patience.
Beginning mid-February 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.

Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.


End User Registration Experience
In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.


*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience

The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Text displayed to users today:
“Sign in with Windows Hello or security key”
"Sign in with a security key”
"Signing in with Windows Hello or security key"
Text displayed to users in January 2024:
“Face, fingerprint, PIN, or security key”
"Signing in with a passkey"
2024-01-10MC TitlePrepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business)(Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business)
2024-01-10MC Last Updated11/16/2023 01:05:052024-01-09T20:18:23Z
2024-01-10MC MessageTagNamesNew feature, User impact, Admin impactUpdated message, New feature, User impact, Admin impact

*starting April 2022

Last updated 3 months ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!