Microsoft Entra: Passkeys in registration campaigns update

Microsoft Entra updates Passkeys (FIDO2) support in Authentication Methods Registration Campaigns, delaying Enabled state availability and introducing Passkeys in Microsoft-managed state for eligible tenants starting mid-May 2026. Eligible tenants will see automatic campaign setting changes; no immediate action is required.

[Introduction]

We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.

Based on ongoing improvements to passkey registration nudge logic and user experience behavior, Passkeys (FIDO2) will no longer move forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746. 

Instead, we are continuing to refine the eligibility logic that determines when users receive passkey registration nudges during sign-in. In the interim, Passkey (FIDO2) will move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria. 

[When this will happen]

• General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.

[How this affects your organization]

Who is affected

• Microsoft Entra tenants using Authentication Methods Registration Campaigns
• Tenants with Passkeys (FIDO2) enabled
• Only tenants that meet the Microsoft‑managed eligibility criteria described below

What will happen

Enabled state

• Passkeys (FIDO2) will not be supported as the targeted authentication method for Registration Campaigns in the Enabled state at this time.
• We are continuing to improve registration campaign nudge behavior and eligibility logic to better align with passkey configuration and profile scope.
• Further updates will be shared when support for the Enabled state becomes available.

Microsoft‑managed state

• Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.

Tenants are impacted when all of the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is Enabled.
• Allow self‑service setup is Enabled.
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
• The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
• The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.

Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For impacted tenants, the following Registration Campaign settings will be automatically updated:

• Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
• Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
• Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
• Default user targeting changes from voice call or text message users to all MFA‑capable users.

After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.

Rollout will occur incrementally across eligible Microsoft Entra tenants.

[What you can do to prepare]

No action is required at this time.

If you plan to enable passkey registration nudges in the future:

• Ensure users are enabled for both synced and device‑bound passkeys.
• Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
• Set your Authentication Methods Registration Campaign to Microsoft‑managed.

[Compliance considerations]

Question	Answer
Does the change include an admin control, and can it be controlled through Microsoft Entra settings?	Yes. This change is governed by existing Microsoft Entra Authentication Methods policies and Authentication Methods Registration Campaign configuration. Administrators control whether passkey registration nudges are delivered by enabling passkeys, configuring self‑service setup, and setting the registration campaign to the Microsoft‑managed state.