Skip to Content

How will the March 2026 Entra ID passkey update affect my tenant?

By: Author Alex Lim

Posted on

Categories Microsoft

Home » Microsoft » How will the March 2026 Entra ID passkey update affect my tenant?

Why is Microsoft auto-enabling passkey profiles for Entra ID users?

Advisory: Microsoft Entra ID Auto-Migration to Passkey Profiles
Reference: MC1221452
Timeline: Early March 2026 – Late March 2026
Action Required: Configuration Review

Microsoft is altering how Entra ID manages authentication security. Starting in March 2026, the platform will automatically transition tenants to new passkey profiles. This change affects the General Availability (GA) of synchronized passkeys. Administrators who prefer to retain control over their authentication methods must intervene before this automatic switchover occurs.

The Core Technical Change

This update introduces a specific configuration property called passkeyType. This property grants granular control over the types of passkeys users can register and utilize.

The passkeyType supports three configurations:

  • Device-bound passkeys: Credentials stored on a physical security key (FIDO2 hardware).
  • Synchronized passkeys: Credentials synced across devices via cloud providers (e.g., Apple iCloud Keychain, Google Password Manager).
  • Both: A hybrid approach allowing either method.

Automatic Migration Logic

If an administrator takes no action before the rollout begins in early March 2026, Microsoft will apply default logic to the tenant.

  1. Profile Conversion: Existing FIDO2 authentication configurations will migrate to a standard Passkey profile.
  2. Type Determination: The system will select the passkeyType value based on the tenant’s current client authentication settings.
  3. Campaign Targeting: If the tenant utilizes “Microsoft-managed” registration campaigns, the system will update these campaigns. They will specifically target passkeys rather than previous methods like Microsoft Authenticator.

Strategic Recommendations for Administrators

To prevent user confusion or security policy misalignments, you must configure your preferred settings immediately.

Pre-empt the Auto-Switch

Do not wait for the automatic window. Activate passkey profiles manually now. This allows you to define the passkeyType explicitly rather than relying on Microsoft’s algorithmic determination.

Adjust Registration Campaigns

Review your registration campaign settings. If currently set to “Managed by Microsoft,” the update will force users toward passkeys. To avoid this:

  • Option A: Set the campaign status to “Activated” but explicitly select Microsoft Authenticator as the target method.
  • Option B: Set the campaign status to “Disabled” to stop all nudges.

Update Operational Documentation

The user experience during login will change. Update your internal runbooks and helpdesk scripts. Ensure support staff understands the difference between a synchronized passkey and a hardware token to assist users effectively.