HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Entra ID Entra IDPasskeysMicrosoft AuthenticatorMFAIntuneZero Trust

How to Enable Passkeys with Microsoft Authenticator in Microsoft 365

IA
Imran Awan
12 July 2026

Your users are still logging in with passwords. That means they are vulnerable to phishing, credential stuffing, and breach replay attacks. Passkeys fix all three — and Microsoft Authenticator now supports passkeys natively, making deployment straightforward directly from Entra ID and Intune.

This post covers exactly how to enable passkeys in your tenant, configure the Authentication Methods policy, verify adoption with PowerShell, and what the end user experience looks like from registration to daily sign-in.

Watch this post — NotebookLM Audio Overview

Generated with NotebookLM · Subscribe at endpointweekly.com

What passkeys actually are — and why they matter

A passkey is a FIDO2 credential based on asymmetric cryptography. When a user registers a passkey, two keys are generated: a private key that never leaves the device (stored in the iOS Secure Enclave or Android Keystore), and a public key stored on the server — in this case, Entra ID. Authentication works by the server issuing a challenge that only the private key can sign, and the user unlocks that private key with biometrics or their device PIN.

Three things that make this fundamentally better than passwords:

Note: Microsoft Authenticator passkeys are device-bound — the private key is stored in the device's secure hardware. They are distinct from synced passkeys (like Apple Passkeys in iCloud Keychain) but provide the same phishing-resistant guarantee required by Entra ID Conditional Access.

Microsoft Authenticator passkeys vs FIDO2 hardware keys

FeatureMicrosoft Authenticator passkeyFIDO2 hardware key (YubiKey etc.)
Additional hardware requiredNo — uses the user's existing phoneYes — physical key, £25–£60 per user
Phishing resistantYesYes
Biometric unlockFace ID or fingerprint on phoneDepends on key model
Works without network on the deviceYes (Bluetooth pairing for desktop sign-in)Yes (USB/NFC)
Lost device recoveryRe-enrol via Temporary Access PassProvision replacement key
Deployment at scalePolicy in Entra ID + app config in IntunePhysical distribution required
Gotcha: Authenticator passkeys are device-bound. If a user gets a new phone they must re-register their passkey. Always enable Temporary Access Pass (TAP) before rolling out passkeys — it is your recovery path, and without it your helpdesk will be overwhelmed with locked-out accounts.

Step 1 — Enable passkeys in the Authentication Methods policy

  1. Select Passkey (FIDO2) from the authentication method list
  2. Set Enable to Yes
  3. Under Target, select Select users and groups — start with a pilot Entra group, not All users
  4. Expand Configure and set:
    • Allow self-service set up: Yes
    • Enforce attestation: No (unless your compliance framework requires hardware attestation)
    • Key restrictions: Leave unrestricted to allow any FIDO2 authenticator, or add specific AAGUIDs to allow only Authenticator
    • Microsoft Authenticator: Toggle on
  5. Click Save
Entra ID — Authentication methods — Passkey (FIDO2) policy
Passkey (FIDO2)
Phishing-resistant passwordless authentication
✓ Enabled
Microsoft Authenticator
Device-bound passkey on iOS and Android
✓ Enabled
Target
SG-Passkey-Pilot (42 members)
Selected group

Step 2 — Enable Temporary Access Pass before go-live

  1. Set Enable to Yes
  2. Minimum lifetime: 60 minutes
  3. Maximum lifetime: 480 minutes (8 hours for helpdesk working hours)
  4. Set One-time use to Yes — the TAP is burned after first use
  5. Target the same pilot group for now, then expand when passkeys are fully rolled out
Watch out: Global Administrators can issue TAPs that bypass MFA entirely. Restrict TAP issuance to Helpdesk Administrator role only, and consider gating that role assignment behind PIM approval to prevent credential abuse through the TAP path.

Step 3 — Deploy Microsoft Authenticator app config via Intune

Use an Intune app configuration policy to ensure Authenticator is configured correctly on managed devices:

Add the following key-value pair to ensure passkey registration is not disabled by the user:

Intune App Config — Microsoft Authenticator
# iOS managed app configuration key-value pairs
Key:   PasskeyEnabled
Type:  String
Value: true

Key:   FaceIDEnabled
Type:  String
Value: true
Tip: Deploy Microsoft Authenticator as a Required app via Intune before creating the app configuration policy. If Authenticator is not installed, the configuration policy has nothing to apply to and will show as Not applicable in the device compliance report.

Step 4 — Verify passkey registrations with PowerShell

After the pilot group has had time to register (give it 48–72 hours with a user communication email), check how many have enrolled:

PowerShell 7 — Microsoft Graph
# Connect with required delegated scope
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All" -NoWelcome

# Report: users with FIDO2 passkey registrations
$users = Get-MgUser -All -Select "Id,DisplayName,UserPrincipalName"

$report = foreach ($user in $users) {
    $methods = Get-MgUserAuthenticationFido2Method `
        -UserId $user.Id -ErrorAction SilentlyContinue
    if ($methods) {
        [PSCustomObject]@{
            DisplayName  = $user.DisplayName
            UPN          = $user.UserPrincipalName
            PasskeyCount = $methods.Count
            Registered   = ($methods | Sort-Object CreatedDateTime | Select -Last 1).CreatedDateTime
        }
    }
}

$report | Format-Table -AutoSize
$report | Export-Csv "C:\Logs\Intune\PasskeyReport-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Total users with passkeys: $($report.Count)" -ForegroundColor Cyan
Output
DisplayName     UPN                          PasskeyCount Registered
-----------     ---                          ------------ ----------
Jane Smith      j.smith@contoso.com          1            09/07/2026 08:23:14
Robert Chen     r.chen@contoso.com           2            10/07/2026 09:07:52
Sarah Williams  s.williams@contoso.com       1            10/07/2026 14:11:03

Total users with passkeys: 3

CSP and Group Policy coverage

Windows Hello for Business — Intune OMA-URI (CSP)

Passkey registration is controlled at the Entra ID tenant level (Authentication Methods policy). On the device side, the relevant CSP is Windows Hello for Business, which controls whether the device can act as an authenticator:

OMA-URITypeValue
./Device/Vendor/MSFT/PassportForWork/EnabledBooleanTrue
./Device/Vendor/MSFT/PassportForWork/RequireSecurityDeviceBooleanTrue (TPM required)
./Device/Vendor/MSFT/PassportForWork/Biometrics/UseBiometricsBooleanTrue
Registry Editor — PassportForWork (Intune-written)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork
Enabled REG_DWORD 0x00000001
RequireSecurityDevice REG_DWORD 0x00000001

Group Policy equivalent

SettingPath
Use Windows Hello for BusinessComputer Configuration › Administrative Templates › Windows Components › Windows Hello for Business › Use Windows Hello for Business
Use a hardware security deviceComputer Configuration › Administrative Templates › Windows Components › Windows Hello for Business › Use a hardware security device
Gotcha: GPO and CSP control Windows Hello for Business on the Windows device — a related but distinct technology from Microsoft Authenticator passkeys. Passkey enablement for the Authenticator app is controlled from the Entra ID Authentication Methods policy alone. You cannot enable or disable Authenticator passkeys via GPO.

What the user sees at registration

Users visit aka.ms/mysecurityinfo to register. After clicking Add method › Passkey (FIDO2), they are prompted to use Microsoft Authenticator. The flow: Authenticator opens on their phone → they approve via biometric → passkey is registered in under 60 seconds. Next sign-in to Microsoft 365, instead of entering a password, they tap a notification on their phone and authenticate with Face ID or fingerprint.

My Security Info — aka.ms/mysecurityinfo
🔑
Passkey (FIDO2)
Microsoft Authenticator — iPhone — Registered 10 Jul 2026
✓ Active

Monitoring adoption

Track registration progress in the Entra ID usage and insights report:

Filter by method type FIDO2 to see daily registration counts, active use rates per method, and which users are still signing in with passwords or SMS OTP — your migration target list.

Tip: Use the Authentication methods › Activity report to export a CSV of all sign-ins by method. Filter for authentication method = Password to identify the users who are not yet using passkeys — send them a targeted nudge email with a direct link to aka.ms/mysecurityinfo.

References

Listen to this post — NotebookLM Audio Overview

Generated with NotebookLM · Subscribe at endpointweekly.com

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Entra ID
Entra Conditional Access: WHfB Enforcement Deadline July 2026
Microsoft's July 2026 deadline for phishing-resistant MFA enforcement is approaching.…
Entra ID
The Primary Refresh Token (PRT): How Entra ID SSO Actually Works…
The PRT is the token that powers silent SSO across every Microsoft 365 app on your…
Entra ID
Microsoft Entra ID Complete Overview: Identity, SSO, Conditional…
The complete foundational guide to Microsoft Entra ID — what it is, how authentication…