Microsoft is set to enhance its security landscape with the introduction of passkey support for Microsoft Entra on Windows devices. This move promises to usher in a new era of phishing-resistant, passwordless authentication through the familiar interface of Windows Hello.
Details of the Rollout
The feature will be available on an opt-in basis, entering public preview from mid-March until late April 2026 for global tenants. Following this, government cloud environments—including GCC, GCC High, and DoD—will see a rollout from mid-April to mid-May.
This innovative feature notably extends passwordless sign-in capabilities to unmanaged Windows devices, addressing a significant gap that previously left personal and shared devices dependent on traditional password-based authentication methods.
As Microsoft articulates in the Microsoft 365 message center, “We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN).”
Furthermore, this enhancement aims to bolster security across organizations by reducing reliance on passwords, thereby minimizing potential vulnerabilities.
Security Features and User Experience
The generated passkeys are cryptographically bound to the device and are never transmitted over the network, effectively shielding them from potential theft by threat actors through phishing or malware attacks. This feature adds an extra layer of security, circumventing the risks associated with multi-factor authentication.
Each Entra account will register its own passkey per device, allowing for multiple accounts to coexist on a single machine. However, it’s important to note that passkeys are device-bound and cannot be synced across devices, necessitating separate registration for each Entra account.
Enrollment Process for IT Administrators
To participate in the public preview, IT administrators will need to enable the Passkeys (FIDO2) authentication method within Entra’s Authentication Methods policies. This includes creating a passkey profile with the required Windows Hello AAGUIDs and assigning it to the appropriate user groups.
In a broader context, Microsoft announced in May 2025 that all new Microsoft accounts will be “passwordless by default,” a strategic move aimed at safeguarding against phishing, brute-force, and credential-stuffing attacks. This initiative follows the rollout of passkey authentication for personal Microsoft accounts in 2024, which was complemented by the introduction of a built-in passkey manager for Windows Hello with the Windows 11 22H2 feature update.
As the landscape of cybersecurity continues to evolve, Microsoft’s latest advancements reflect a proactive approach to ensuring user safety and enhancing the overall security framework across its platforms.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
