Table of Contents
What are the steps to enable phishing-resistant sign-in using Entra ID?
Implementing Entra Passkeys
Microsoft is deploying phishing-resistant Windows authentication via Microsoft Entra Passkeys, detailed in administrative update MC1247893. This update introduces passwordless login capabilities using Windows Hello. It extends robust security measures to hardware that is not officially registered to your corporate network. Administrators must actively configure these settings to protect unmanaged, shared, or private computers.
Device-Bound Authentication
Users create device-specific passkeys stored directly within the local Windows Hello container. Authentication occurs through standard Windows Hello methods, including facial recognition, fingerprint scanning, or a numerical PIN. These passkeys remain strictly bound to the physical device and do not synchronize across different machines. Users can operate multiple Entra accounts on a single computer, but each account requires a separate passkey registration.
Deployment Timelines
- Public preview spans from mid-March to late April 2026.
- General availability runs from mid-March to mid-April 2026.
- Government environments (GCC, GCC High, DoD) receive updates from mid-April to mid-May 2026.
Administrative Requirements
IT administrators must explicitly enable the “Passkeys (FIDO2)” authentication method within the organization’s security policies to activate this feature. Existing conditional access and authentication strength policies will continue functioning normally without additional modification. Windows Hello for Business remains the recommended standard for fully managed devices. Note that users cannot register a passkey if Windows Hello for Business credentials already exist for that specific account and container, unless the user surpasses fifty total credentials across all platforms.