Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, adding phishing-resistant passwordless authentication via Windows Hello.
The feature is opt-in and will enter public preview from mid-March through late April 2026 for worldwide tenants. Government cloud environments (GCC, GCC High, and DoD) follow with mid-April through mid-May rollout windows.
Notably, this also extends passwordless sign-in to unmanaged Windows devices, a gap that previously left personal and shared devices relying on password-based authentication.
“We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft explains on the Microsoft 365 message center.
“It also expands passwordless authentication to Windows devices that aren’t Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords.”
The generated passkeys are cryptographically bound to the device and never transmitted over the network, so threat actors can’t steal them in phishing or malware attacks to circumvent multi-factor authentication.
Microsoft added that each Entra account will register its own passkey per device, and multiple accounts can coexist on a single machine. However, passkeys are device‑bound and cannot be synced across devices, so each Entra account will require separate registration.
To enroll in the public preview, IT administrators must enable the Passkeys (FIDO2) authentication method in Entra’s Authentication Methods policies, create a passkey profile with the required Windows Hello AAGUIDs, and assign it to the appropriate groups.
Microsoft announced in May 2025 that all new Microsoft accounts will be “passwordless by default” to secure them against phishing, brute-force, and credential-stuffing attacks.
One year earlier, it rolled out support for passkey authentication for personal Microsoft accounts, after adding a built-in passkey manager for Windows Hello with the Windows 11 22H2 feature update.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
