(Updated) Microsoft Entra: Passkeys in Microsoft registration campaigns

Updated April 14, 2026: After further review, we have decided not to move forward with this change at this time. You can refer to MC1279092 for updates. We apologize for any inconvenience this may cause and appreciate your understanding.

[Introduction]

As previously announced in MC1221452, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method starting in early April 2026. This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.

Please refer to MC1279092 for updates. 

[When this will happen] 

General Availability (Worldwide): We will begin rolling out in early April 2026 and expect to complete in late May 2026.

[How this affects your organization]

Who is affected

• Microsoft 365 tenants using Microsoft Registration Campaigns
• Tenants configured in either Microsoft‑managed or Enabled states
• Users who are MFA‑capable and eligible for Passkeys (FIDO2)

What will happen

Microsoft‑managed state

Your tenant will be impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is enabled.
• Allow self‑service setup is enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.

When these conditions are met, the following settings will update automatically:

• The targeted authentication method will change from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze will change from three days to one day. (This setting will no longer be configurable.)
• Limit number of snoozes will be disabled. (This setting will no longer be configurable.)
• Targeting will expand to all MFA‑capable users. (This setting will no longer be configurable.)
• Default user targeting will change from voice call or text message users to all multifactor authentication (MFA)–capable users.

Affected users will receive Passkey registration nudges at sign‑in after completing MFA.

We will roll out these changes incrementally over time to in‑scope tenants.

Enabled state

Passkey (FIDO2) can be selected as the Targeted Authentication Method when Microsoft Registration Campaigns are in the Enabled state. 

Note: Registration Campaigns support targeting only one authentication method at a time—either Microsoft Authenticator or Passkeys (FIDO2), but not both simultaneously.

[What you can do to prepare]

Opting into Passkey Registration Nudges:

• The user is MFA‑capable
  • They have at least one registered MFA method
  • They can successfully complete MFA at sign‑in
• Under Authentication methods > Policies, the user is in scope for Passkeys (FIDO2)
• Under Authentication methods > Policies > Passkeys (FIDO2) > Configure, make sure you have Allow self-service set up checked. 

Important Guidance:

We will roll out these changes incrementally to in-scope tenants starting in early April. This rollout will take time, and even if your tenant meets the eligibility criteria, you may not see the changes immediately. 

Enabled State 

Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for every edge‑case scenario, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, AAGUID restrictions), the registration experience triggered by the nudge may not be optimal.   

Using Passkeys Despite Restrictions

You can still set Passkeys as the target authentication method in Microsoft Registration Campaigns. However, users may encounter a poor or confusing experience if they have passkey profile restrictions.

Example: 

If a user is scoped into specific AAGUID synced passkeys only, they may see a Passkey nudge at sign‑in. If they attempt to register a device‑bound passkey, the registration will fail because they are not in scope for that passkey type. 

Recommended next steps

• Review your Registration Campaign state by early April 2026.
• Communicate this change to helpdesk or support teams.
• Update internal documentation on authentication method enrollment.
• If you prefer to continue targeting Microsoft Authenticator, verify this configuration before rollout.

Learn more: How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn

Updated April 14, 2026: After further review, we have decided not to move forward with this change at this time. You can refer to MC1279092 for updates. We apologize for any inconvenience this may cause and appreciate your understanding.

[Introduction]

As previously announced in MC1221452, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method starting in early April 2026. This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.

Please refer to MC1279092 for updates. 

[When this will happen] 

General Availability (Worldwide): We will begin rolling out in early April 2026 and expect to complete in late May 2026.

[How this affects your organization]

Who is affected

• Microsoft 365 tenants using Microsoft Registration Campaigns
• Tenants configured in either Microsoft‑managed or Enabled states
• Users who are MFA‑capable and eligible for Passkeys (FIDO2)

What will happen

Microsoft‑managed state

Your tenant will be impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is enabled.
• Allow self‑service setup is enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.

When these conditions are met, the following settings will update automatically:

• The targeted authentication method will change from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze will change from three days to one day. (This setting will no longer be configurable.)
• Limit number of snoozes will be disabled. (This setting will no longer be configurable.)
• Targeting will expand to all MFA‑capable users. (This setting will no longer be configurable.)
• Default user targeting will change from voice call or text message users to all multifactor authentication (MFA)–capable users.

Affected users will receive Passkey registration nudges at sign‑in after completing MFA.

We will roll out these changes incrementally over time to in‑scope tenants.

Enabled state

Passkey (FIDO2) can be selected as the Targeted Authentication Method when Microsoft Registration Campaigns are in the Enabled state. 

Note: Registration Campaigns support targeting only one authentication method at a time—either Microsoft Authenticator or Passkeys (FIDO2), but not both simultaneously.

[What you can do to prepare]

Opting into Passkey Registration Nudges:

• The user is MFA‑capable
  • They have at least one registered MFA method
  • They can successfully complete MFA at sign‑in
• Under Authentication methods > Policies, the user is in scope for Passkeys (FIDO2)
• Under Authentication methods > Policies > Passkeys (FIDO2) > Configure, make sure you have Allow self-service set up checked. 

Important Guidance:

We will roll out these changes incrementally to in-scope tenants starting in early April. This rollout will take time, and even if your tenant meets the eligibility criteria, you may not see the changes immediately. 

Enabled State 

Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for every edge‑case scenario, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, AAGUID restrictions), the registration experience triggered by the nudge may not be optimal.   

Using Passkeys Despite Restrictions

You can still set Passkeys as the target authentication method in Microsoft Registration Campaigns. However, users may encounter a poor or confusing experience if they have passkey profile restrictions.

Example: 

If a user is scoped into specific AAGUID synced passkeys only, they may see a Passkey nudge at sign‑in. If they attempt to register a device‑bound passkey, the registration will fail because they are not in scope for that passkey type. 

Recommended next steps

• Review your Registration Campaign state by early April 2026.
• Communicate this change to helpdesk or support teams.
• Update internal documentation on authentication method enrollment.
• If you prefer to continue targeting Microsoft Authenticator, verify this configuration before rollout.

Learn more: How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn

Updated April 9, 2026: After further review, we have decided not to move forward with this change at this time. We will communicate via a new Message center post when we are ready to proceed. We apologize for any inconvenience this may cause and appreciate your understanding.

[Introduction]

As previously announced in MC1221452, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method starting in early April 2026. This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.

[When this will happen] 

General Availability (Worldwide): We will begin rolling out in early April 2026 and expect to complete in late May 2026.

[How this affects your organization]

Who is affected

• Microsoft 365 tenants using Microsoft Registration Campaigns
• Tenants configured in either Microsoft‑managed or Enabled states
• Users who are MFA‑capable and eligible for Passkeys (FIDO2)

What will happen

Microsoft‑managed state

Your tenant will be impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is enabled.
• Allow self‑service setup is enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.

When these conditions are met, the following settings will update automatically:

• The targeted authentication method will change from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze will change from three days to one day. (This setting will no longer be configurable.)
• Limit number of snoozes will be disabled. (This setting will no longer be configurable.)
• Targeting will expand to all MFA‑capable users. (This setting will no longer be configurable.)
• Default user targeting will change from voice call or text message users to all multifactor authentication (MFA)–capable users.

Affected users will receive Passkey registration nudges at sign‑in after completing MFA.

We will roll out these changes incrementally over time to in‑scope tenants.

Enabled state

Passkey (FIDO2) can be selected as the Targeted Authentication Method when Microsoft Registration Campaigns are in the Enabled state. 

Note: Registration Campaigns support targeting only one authentication method at a time—either Microsoft Authenticator or Passkeys (FIDO2), but not both simultaneously.

[What you can do to prepare]

Opting into Passkey Registration Nudges:

• The user is MFA‑capable
  • They have at least one registered MFA method
  • They can successfully complete MFA at sign‑in
• Under Authentication methods > Policies, the user is in scope for Passkeys (FIDO2)
• Under Authentication methods > Policies > Passkeys (FIDO2) > Configure, make sure you have Allow self-service set up checked. 

Important Guidance:

We will roll out these changes incrementally to in-scope tenants starting in early April. This rollout will take time, and even if your tenant meets the eligibility criteria, you may not see the changes immediately. 

Enabled State 

Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for every edge‑case scenario, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, AAGUID restrictions), the registration experience triggered by the nudge may not be optimal.   

Using Passkeys Despite Restrictions

You can still set Passkeys as the target authentication method in Microsoft Registration Campaigns. However, users may encounter a poor or confusing experience if they have passkey profile restrictions.

Example: 

If a user is scoped into specific AAGUID synced passkeys only, they may see a Passkey nudge at sign‑in. If they attempt to register a device‑bound passkey, the registration will fail because they are not in scope for that passkey type. 

Recommended next steps

• Review your Registration Campaign state by early April 2026.
• Communicate this change to helpdesk or support teams.
• Update internal documentation on authentication method enrollment.
• If you prefer to continue targeting Microsoft Authenticator, verify this configuration before rollout.

Learn more: How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn