When will Microsoft auto-enable passkey profiles in Entra ID?

Passkey profiles reach General Availability in early March 2026. Microsoft will automatically enable them for tenants that have not opted in starting April 2026, with rollout completing by late May 2026. Government cloud environments (GCC, GCC High, DoD) follow a delayed schedule with automatic migration in June 2026.

What is the difference between synced and device-bound passkeys?

Device-bound passkeys store the private key on a single physical device (like a FIDO2 security key), requiring per-device registration. Synced passkeys store the private key in a cloud provider like Apple iCloud Keychain or Google Password Manager and synchronize across all of the user devices, allowing sign-in from any synced device without re-registration.

What happens if I do nothing before the passkey auto-migration?

Microsoft will automatically migrate your existing Passkey (FIDO2) settings into a Default passkey profile. The passkeyType property will be set based on your attestation configuration. If attestation is not enforced, synced passkeys will be enabled by default. Users will begin seeing daily registration campaign prompts. Your existing key restrictions and group targeting will transfer, but the overall configuration model changes.

How should IT admins prepare for the Entra ID passkey migration?

Document your current FIDO2 settings, decide whether to allow synced or only device-bound passkeys, audit Conditional Access policies for authentication strength references, opt in to passkey profiles early for full control over defaults, create separate profiles for privileged and standard users, prepare user communications, and monitor sign-in logs after migration for authentication anomalies.

Microsoft Is Auto-Enabling Passkeys in Your Tenant Next Month. Are You Ready?

The Clock Is Ticking

In March 2026, Microsoft will begin rolling out automatic passkey profile enablement across all Entra ID tenants worldwide. If you have not opted in by then, Microsoft will migrate your existing FIDO2 settings into the new passkey profiles system for you — automatically — starting in April 2026.

This is not a minor settings tweak. Passkey profiles replace the current Passkey (FIDO2) authentication method configuration with a fundamentally different model. Your tenant's authentication behavior will change. The question is whether it changes the way you intend or the way Microsoft's defaults dictate.

If you manage Microsoft 365 for a mid-sized company, the next four weeks are your window to get ahead of this.

What Is Actually Changing

From One Config to Many Profiles

Today, FIDO2 passkey settings in Entra ID are essentially a single, tenant-wide configuration. You can target specific groups, but there is one set of rules governing how passkeys work.

The new passkey profiles model replaces this with multiple profiles, each with distinct rules, assigned to different groups. Think of it as moving from one global policy to a Conditional Access-style approach for passkey behavior.

This is more powerful, but it also means more configuration surface area to manage — and more places where defaults might not match your security posture.

The New passkeyType Property

The biggest change is the introduction of the passkeyType property. This determines whether your users can register:

Device-bound passkeys: The private key stays on the physical device. Users must register each device separately. This is what traditional FIDO2 security keys do.
Synced passkeys: The private key is stored in a cloud provider (Apple iCloud Keychain, Google Password Manager) and synchronized across the user's devices. Register once, sign in from any device.

The default behavior after auto-migration depends on your current attestation settings:

Attestation enforced → only device-bound passkeys allowed
Attestation not enforced → both synced and device-bound passkeys allowed

If you have never touched your attestation settings, you are likely getting synced passkeys enabled by default.

Registration Campaigns Go Autopilot

When passkeyType is set to synced and registration campaigns are Microsoft-managed, the campaign target automatically shifts from Microsoft Authenticator to passkeys for all MFA-capable users. The catch: administrators lose configurability over campaign behavior — it defaults to unlimited snooze reminders shown daily.

Your users will start seeing prompts to register passkeys. Every day. Whether you planned for it or not.

What Could Go Wrong

1. Synced Passkeys on Unmanaged Devices

Synced passkeys are convenient, but they mean your corporate credentials can end up on personal devices synced through iCloud or Google accounts. For organizations with strict device compliance requirements, this may violate your security policies.

If your Conditional Access policies require compliant or managed devices, synced passkeys might create authentication failures when users try to sign in from personal devices where the passkey synced but the device is not compliant.

2. User Confusion at Scale

Your users will see new registration prompts. Help desk tickets will spike. Users who already have FIDO2 keys may wonder why they are being asked to register again. Users who do not understand passkeys may register them on personal devices, thinking they are just "saving a password."

Without advance communication, expect confusion.

3. Conditional Access Conflicts

If you have Conditional Access policies that specifically reference FIDO2 as an authentication strength, verify they still work as expected with passkey profiles. The migration should preserve settings, but the underlying plumbing has changed.

4. Configuration Drift You Did Not Approve

The auto-migration creates a "Default passkey profile" based on your current settings. But from that point forward, your authentication configuration is in a new system with new defaults and new behaviors. If you do not review the migrated profile, you may be running with settings you did not explicitly choose.

Your Preparation Checklist

This Week: Understand Your Current State

1. Check your current FIDO2 configuration. In Entra ID, go to Protection → Authentication methods → Passkey (FIDO2). Document your current settings: who is targeted, what key restrictions exist, whether attestation is enforced.

2. Decide on synced vs. device-bound. This is the most important decision. Synced passkeys are more user-friendly but distribute credentials across cloud providers. Device-bound passkeys are more controlled but require per-device registration.

For most mid-sized companies, the right answer is: device-bound passkeys for privileged accounts, synced passkeys allowed for standard users, controlled via separate passkey profiles targeting different groups.

3. Audit your Conditional Access policies. Look for policies that reference authentication strengths or specific authentication methods. Verify they will work correctly with the new passkey profiles model.

Before March: Opt In Early

4. Enable passkey profiles manually before the auto-migration. Opting in during the preview period gives you full control over the default profile configuration. Waiting for the auto-migration means accepting Microsoft's defaults.

5. Create group-based profiles. Set up at least two profiles:

A restrictive profile for administrators and privileged users (device-bound only, attestation enforced)
A standard profile for regular users (synced passkeys allowed if your compliance posture permits)

6. Prepare user communications. Draft a brief message explaining what passkeys are, why users will see new prompts, and what they should do. Send it before the migration, not after the help desk tickets start rolling in.

After Migration: Monitor

7. Verify the migration result. After opting in or after auto-migration, review the Default passkey profile to confirm your settings transferred correctly. Check that group assignments are intact and that the passkeyType property matches your intent.

8. Watch for authentication anomalies. Monitor sign-in logs for failed authentications related to passkey methods. Look for users registering passkeys on unexpected device types.

The Bigger Picture: Passwordless Is Inevitable

This auto-enablement is not an isolated event. It is part of Microsoft's multi-year push to eliminate passwords from Entra ID entirely. The trajectory is clear:

2024: Passkeys (FIDO2) became generally available
2025: Synced passkeys added; registration campaigns introduced
March 2026: Passkey profiles auto-enabled for all tenants
Late 2026+: Expect password-optional or password-elimination policies to follow

The organizations that handle this transition well are the ones that define their intended authentication state ahead of time and actively manage the migration, rather than letting Microsoft's defaults define their security posture.

This is where continuous configuration monitoring pays off. When Microsoft auto-enables a new feature in your tenant — or when a well-meaning admin tweaks a passkey profile without documenting the change — you need to know about it. Not at the next quarterly review. That day.

TrueConfig monitors your Microsoft 365 authentication and Conditional Access configuration against your defined baseline. When your passkey profiles change — whether from Microsoft's auto-migration, an admin adjustment, or an unexpected policy modification — you see the deviation immediately, with full context on what changed and what your intended state should be.