Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

(Updated) Microsoft Entra: Passkeys in registration campaigns update

Message ID
MC1279092
View in Message Center
Service
Microsoft Entra
Category
Stay Informed
Tags
New featureUser impactAdmin impact
Rollout
May 2026June 2026

Summary

Microsoft Entra will continue supporting Passkeys (FIDO2) in Enabled and Microsoft-managed states for Registration Campaigns, rolling out worldwide from mid-May to late June 2026. Eligible tenants will see automatic updates to campaign settings and passkey registration nudges after MFA, with no immediate action required.

Details

Updated April 23, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

Earlier communication indicated a change in direction; however, Microsoft will continue to add support for passkeys (FIDO2) in the Enabled state within Registration Campaigns. This is the final direction and aligns with our long‑term passkey adoption strategy.

We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.

Passkeys (FIDO2) will continue moving forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746. 

Passkey (FIDO2) will also move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria. 

[When this will happen]

  • General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.

[How this affects your organization]

Who is affected

  • Microsoft Entra tenants using Authentication Methods Registration Campaigns
  • Tenants with Passkeys (FIDO2) enabled
  • Only tenants that meet the Microsoft‑managed eligibility criteria described below

What will happen

Enabled state

  • Passkeys (FIDO2) will be supported as the targeted authentication method for Registration Campaigns in the Enabled state.
  • Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for edge‑case scenario if users have any passkey profile restrictions, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, device bound only passkeys allowed), the registration experience triggered by the nudge may not be optimal.

Microsoft‑managed state

  • Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.

Tenants are impacted when all of the following conditions are met:

  • The Passkeys (FIDO2) authentication method policy is Enabled.
  • Allow self‑service setup is Enabled.
  • Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
  • The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
  • The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.

Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For impacted tenants, the following Registration Campaign settings will be automatically updated:

  • Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
  • Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
  • Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
  • Default user targeting changes from voice call or text message users to all MFA‑capable users.

After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.

Rollout will occur incrementally across eligible Microsoft Entra tenants.

[What you can do to prepare]

No action is required at this time.

If you plan to enable passkey registration nudges in the future:

  • Ensure users are enabled for both synced and device‑bound passkeys.
  • Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
  • Set your Authentication Methods Registration Campaign to Microsoft‑managed or Enabled.

[Compliance considerations]

QuestionAnswer
Does the change include an admin control, and can it be controlled through Microsoft Entra settings?Yes. This change is governed by existing Microsoft Entra Authentication Methods policies and Authentication Methods Registration Campaign configuration. Administrators control whether passkey registration nudges are delivered by enabling passkeys, configuring self‑service setup, and setting the registration campaign to the Microsoft‑managed state.

Change History

Show
Published: April 13, 2026
Last Updated: April 23, 2026
April 23, 2026 at 8:31 PM Updated
Title
Previous
Microsoft Entra: Passkeys in registration campaigns update
New
(Updated) Microsoft Entra: Passkeys in registration campaigns update
Summary
Previous
Microsoft Entra updates Passkeys (FIDO2) support in Authentication Methods Registration Campaigns, delaying Enabled state availability and introducing Passkeys in Microsoft-managed state for eligible tenants starting mid-May 2026. Eligible tenants will see automatic campaign setting changes; no immediate action is required.
New
Microsoft Entra will continue supporting Passkeys (FIDO2) in Enabled and Microsoft-managed states for Registration Campaigns, rolling out worldwide from mid-May to late June 2026. Eligible tenants will see automatic updates to campaign settings and passkey registration nudges after MFA, with no immediate action required.
Last Updated Date
Previous
2026-04-13T22:53:19.000Z
New
2026-04-23T19:57:04.747Z
Tags
Previous
New feature,User impact,Admin impact
New
Updated message,New feature,User impact,Admin impact
Body Content
Previous

[Introduction]

We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.

Based on ongoing improvements to passkey registration nudge logic and user experience behavior, Passkeys (FIDO2) will no longer move forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746. 

Instead, we are continuing to refine the eligibility logic that determines when users receive passkey registration nudges during sign-in. In the interim, Passkey (FIDO2) will move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria. 

[When this will happen]

  • General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.

[How this affects your organization]

Who is affected

  • Microsoft Entra tenants using Authentication Methods Registration Campaigns
  • Tenants with Passkeys (FIDO2) enabled
  • Only tenants that meet the Microsoft‑managed eligibility criteria described below

What will happen

Enabled state

  • Passkeys (FIDO2) will not be supported as the targeted authentication method for Registration Campaigns in the Enabled state at this time.
  • We are continuing to improve registration campaign nudge behavior and eligibility logic to better align with passkey configuration and profile scope.
  • Further updates will be shared when support for the Enabled state becomes available.

Microsoft‑managed state

  • Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.

Tenants are impacted when all of the following conditions are met:

  • The Passkeys (FIDO2) authentication method policy is Enabled.
  • Allow self‑service setup is Enabled.
  • Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
  • The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
  • The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.

Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For impacted tenants, the following Registration Campaign settings will be automatically updated:

  • Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
  • Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
  • Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
  • Default user targeting changes from voice call or text message users to all MFA‑capable users.

After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.

Rollout will occur incrementally across eligible Microsoft Entra tenants.

[What you can do to prepare]

No action is required at this time.

If you plan to enable passkey registration nudges in the future:

  • Ensure users are enabled for both synced and device‑bound passkeys.
  • Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
  • Set your Authentication Methods Registration Campaign to Microsoft‑managed.

[Compliance considerations]

QuestionAnswer
Does the change include an admin control, and can it be controlled through Microsoft Entra settings?Yes. This change is governed by existing Microsoft Entra Authentication Methods policies and Authentication Methods Registration Campaign configuration. Administrators control whether passkey registration nudges are delivered by enabling passkeys, configuring self‑service setup, and setting the registration campaign to the Microsoft‑managed state.

New

Updated April 23, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

Earlier communication indicated a change in direction; however, Microsoft will continue to add support for passkeys (FIDO2) in the Enabled state within Registration Campaigns. This is the final direction and aligns with our long‑term passkey adoption strategy.

We are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.

Passkeys (FIDO2) will continue moving forward to General Availability as the targeted authentication method for Registration Campaigns in the Enabled state as previously communicated in MC1253746. 

Passkey (FIDO2) will also move forward as the targeted authentication method for Registration Campaigns in the Microsoft Managed state for tenants that meet our in-scope criteria. 

[When this will happen]

  • General Availability (Worldwide): Rollout will begin in mid‑May 2026 to Microsoft Managed state and is expected to complete by late June 2026.

[How this affects your organization]

Who is affected

  • Microsoft Entra tenants using Authentication Methods Registration Campaigns
  • Tenants with Passkeys (FIDO2) enabled
  • Only tenants that meet the Microsoft‑managed eligibility criteria described below

What will happen

Enabled state

  • Passkeys (FIDO2) will be supported as the targeted authentication method for Registration Campaigns in the Enabled state.
  • Over time, we will incrementally refine the logic for Passkeys nudges in Microsoft Registration Campaigns to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for edge‑case scenario if users have any passkey profile restrictions, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, device bound only passkeys allowed), the registration experience triggered by the nudge may not be optimal.

Microsoft‑managed state

  • Passkeys (FIDO2) will be introduced as the targeted authentication method in the Microsoft‑managed state for eligible tenants.

Tenants are impacted when all of the following conditions are met:

  • The Passkeys (FIDO2) authentication method policy is Enabled.
  • Allow self‑service setup is Enabled.
  • Target specific AAGUIDs is not selected (no AAGUID restrictions configured).
  • The Authentication Methods Registration Campaign state is set to Microsoft‑managed.
  • The tenant has at least one user enabled for both synced passkeys and device‑bound passkeys.

Only users who are enabled for both synced and device‑bound passkeys, with no passkey profile restrictions configured (for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.

For impacted tenants, the following Registration Campaign settings will be automatically updated:

  • Targeted authentication method changes from Microsoft Authenticator to Passkeys (FIDO2).
  • Days allowed to snooze changes from 3 days to 1 day (no longer configurable).
  • Limited number of snoozes changes from Enabled to Disabled (no longer configurable).
  • Default user targeting changes from voice call or text message users to all MFA‑capable users.

After these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in after completing multifactor authentication.

Rollout will occur incrementally across eligible Microsoft Entra tenants.

[What you can do to prepare]

No action is required at this time.

If you plan to enable passkey registration nudges in the future:

  • Ensure users are enabled for both synced and device‑bound passkeys.
  • Remove any passkey profile restrictions (such as AAGUID or attestation requirements).
  • Set your Authentication Methods Registration Campaign to Microsoft‑managed or Enabled.

[Compliance considerations]

QuestionAnswer
Does the change include an admin control, and can it be controlled through Microsoft Entra settings?Yes. This change is governed by existing Microsoft Entra Authentication Methods policies and Authentication Methods Registration Campaign configuration. Administrators control whether passkey registration nudges are delivered by enabling passkeys, configuring self‑service setup, and setting the registration campaign to the Microsoft‑managed state.

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free