![(Updated) Microsoft Entra: Passkeys in registration campaigns update [MC1279092]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-eye4dtail-122308-1024x683.webp "(Updated) Microsoft Entra: Passkeys in registration campaigns update [MC1279092] 1")
Updated April 23, 2026: We have updated the content. Thank you for your patience.
[Introduction]
Earlier communication indicated a change in direction; however, Microsoft will continue to add support for passkeys (FIDO2) in the Enabled state within Registration Campaigns. This is the final direction and aligns with our long‑term passkey adoption strategy.
We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.
Passkeys (FIDO2) will continue moving forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746.
Passkey (FIDO2) will also move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria.
[When this will happen]
- General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.
[How this affects your organization]
Who is affected
- Microsoft Entra tenants using Authentication Methods Registration Campaigns
- Tenants with Passkeys (FIDO2) enabled
- Only tenants that meet the Microsoft‑managed eligibility criteria described below
What will happen
Enabled state
- Passkeys (FIDO2) will be supported as the targeted authentication method for Registration Campaigns in the Enabled state.
- Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for edge‑case scenario if users have any passkey profile restrictions, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, device bound only passkeys allowed), the registration experience triggered by the nudge may not be optimal.
Microsoft‑managed state
- Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.
Tenants are impacted when all of the following conditions are met:
- The Passkeys (FIDO2) authentication method policy is Enabled.
- Allow self‑service setup is Enabled.
- Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
- The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
- The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.
Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.
For impacted tenants, the following Registration Campaign settings will be automatically updated:
- Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
- Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
- Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
- Default user targeting changes from voice call or text message users to all MFA‑capable users.
After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.
Rollout will occur incrementally across eligible Microsoft Entra tenants.
[What you can do to prepare]
No action is required at this time.
If you plan to enable passkey registration nudges in the future:
- Ensure users are enabled for both synced and device‑bound passkeys.
- Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
- Set your Authentication Methods Registration Campaign to Microsoft‑managed or Enabled.
[Compliance considerations]
| Question | Answer |
| Does the change include an admin control, and can it be controlled through Microsoft Entra settings? | Yes. This change is governed by existing Microsoft Entra Authentication Methods policies and Authentication Methods Registration Campaign configuration. Administrators control whether passkey registration nudges are delivered by enabling passkeys, configuring self‑service setup, and setting the registration campaign to the Microsoft‑managed state. |
Source: Microsoft
<<< [MC1279092] Archive
Tooltip: View earlier revisions of this post
Latest Posts
- (Updated) Microsoft Entra: Passkeys in registration campaigns update [MC1279092]
- Microsoft Teams: Meeting Participants Can Request Collaborative Annotation Sessions Dependent on Host Permission [MC1019312]
- Amazon Redshift supports UPDATE, DELETE, MERGE for Apache Iceberg tables
- Amazon S3 now supports five additional checksum algorithms
