Introduction
Passkeys in Microsoft Entra (based on FIDO2) represent a major advancement in security, offering robust and passwordless authentication. Yet their general availability rollout is encountering delays primarily linked to registration campaigns. In this article, we detail the reasons for these obstacles, available configuration statuses, and practical strategies for effective adoption.
The 'Enabled' Status and Its Limitations
Although scheduled for release in April 2026, the 'Enabled' status in Passkey registration campaigns has been suspended by Microsoft. Here are the key points explaining this delay:
- The underlying logic does not properly handle edge cases, particularly for users with specific restrictions such as AAGUIDs (Apparatus Authentication GUID).
- Manual activation of campaigns in this 'Enabled' status does not currently produce the expected behavior.
- Poor user experience prompted Microsoft to reconsider these implementations. Updates will be communicated when this status becomes operational.
Good to Know
The 'Enabled' status would allow direct activation of Passkey registration campaigns, but its current unavailability should not deter your adoption of this technology.
The 'Microsoft-managed' Status
Starting in May 2026, Passkey registration campaigns under the 'Microsoft-managed' status will be deployed to tenants meeting the following criteria:
- FIDO2 authentication policy enabled in your tenant.
- Configuration allowing self-registration by users.
- No AAGUID restrictions (specific targeting for certain AAGUIDs must not be enabled).
- Campaign status configured as 'Microsoft-managed'.
- At least one user enabled for synchronized and device-linked Passkeys.
Impact of 'Microsoft-managed' Status on Users
Here are the main changes for qualified tenants:
- MFA-eligible users will be progressively invited to register Passkeys.
- The deferral period will be reduced to a single day, with the option to resubmit indefinitely.
- All compatible MFA users who meet the criteria will receive these requests.
Tip
Use the available reports in Azure AD to verify which users meet the criteria and could be impacted by this campaign.
Practical Strategies for Passkey Adoption
Effective alternatives exist to facilitate the transition to Passkeys and increase their adoption without relying solely on registration campaigns. Here are three approaches:
1. Use of Temporary Access Pass (TAP)
Temporary Access Passes (TAPs) provide strong temporary authentication. They simplify:
- User onboarding.
- Access recovery for post-loss scenarios or device reset.
Key steps:
TAP Generation
Generate a TAP via the Azure AD portal or PowerShell.
1New-AzureADTemporaryAccessPass -UserPrincipalName "user@example.com"Redirect to Registration Page
Ask your users to visit aka.ms/mysecurityinfo to configure their Passkey without requiring a password.
2. Conditional Access Policies via Authentication Strengths
Enforce security at the point of access by configuring a phishing-resistant MFA capability through a conditional access policy.
Example policy:
1# Create strong MFA policy resistant to phishing2New-AzureADConditionalAccessPolicy -Name "PhishingResistantMFA" -AuthenticationStrength "Phishing-resistant MFA"Warning
Ensure that user MFA compatibility is verified before making this policy fully mandatory.
3. Direct Communications to Users
Facilitate adoption by sending targeted communications:
- Internal documents explaining benefits and instructions.
- Practical guides included in kits for physical FIDO2 devices.
- Direct links to the Passkey registration page.
Tip
Pair communications with Q&A sessions to reduce resistance to change.
Conclusion
Although the 'Enabled' status is experiencing delays, the 'Microsoft-managed' status enables automatic adjustments to Passkey campaigns for qualified tenants. Adopt proactive solutions such as TAPs, conditional access policies, and targeted communications to begin the transition.
To learn more, feel free to consult our other articles on MFA authentication strategies in Microsoft 365.
