Introduction
Microsoft continues to strengthen passwordless authentication at scale with the introduction of Microsoft Entra Passkeys. Starting in March 2026, this update will allow users to use the Windows Hello container for phishing-resistant authentication on resources protected by Entra, including even personal and unmanaged devices.
[IMAGE:index:url:alt]
Enhanced Security with Windows Hello
With this update, device-bound passkeys are integrated into the Windows Hello container. This allows users to authenticate using biometric methods such as facial recognition, fingerprint, or secure PINs.
Good to know
This feature is particularly beneficial for enterprises adopting BYOD (Bring Your Own Device) strategies or managing shared and unmanaged PCs.
Key Features of Entra Passkeys
- Device-bound security: Passkeys are stored locally and do not sync across devices.
- Multi-account support: Ability to connect multiple Entra accounts on the same Windows device.
- Complement to Windows Hello for Business: While remaining recommended for managed devices, passkeys add additional security for unmanaged scenarios.
- Coexistence with WHfB: A passkey cannot be registered on a device if WHfB credentials exist for the same account, unless 50 credentials are exceeded among FIDO2, WHfB, and Mac Platform Credentials.
Enable Entra Passkeys in Your Tenant
Since this feature is available in public preview, it requires manual configuration from the Microsoft Entra Admin Center.
Enable FIDO2 Authentication
Verify that the Passkey (FIDO2) method is enabled in your authentication policies.
Configure AAGUIDs
Explicitly add the following AAGUIDs to your allowlist:
1# Windows Hello AAGUID identifiers208987058-cadc-4b81-b6e1-30de50dcbe9639ddd1817-af5a-4672-a2b9-3e3dd95000a946028b017-b1d4-4c02-b4b3-afcdafc96bb2Review Conditional Access Policies
Ensure that your required security level policies support passkey authentication.
Detailed Configuration of Passkeys in Microsoft Entra
- Sign in to the Microsoft Entra Admin Center, navigate to Authentication methods, then select Policies.
- Enable Passkey (FIDO2): Add the method and target the groups of your choice.
- Under the Configure tab, add a profile and set the following parameters:
- Enforce attestation: No
- Target types: Device-bound
- Behavior: Allow
- Add the AAGUIDs.
- Under Enable and target, assign this new configuration to your targeted users.
Tip
While the technical structure is ready, monitor Microsoft updates for information on the final user experience.
Useful Links
Glossary
- Passkey: Passwordless identifier based on FIDO2, bound to the device.
- Windows Hello: Windows technology for biometric or PIN authentication.
- WHfB (Windows Hello for Business): Enterprise version of Windows Hello for managed devices.
- AAGUID: Unique identifier for a specific type of hardware or software authenticator.
