{"id":15323,"date":"2026-03-12T02:01:29","date_gmt":"2026-03-11T17:01:29","guid":{"rendered":"https:\/\/m365jp.net\/?p=15323"},"modified":"2026-03-12T02:06:09","modified_gmt":"2026-03-11T17:06:09","slug":"mc1221452-microsoft-entra-id-general-availability-of-passkey-profiles-and-migration-for-existing-passkeys-fido2-tenants-2","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-03-12-mc1221452-microsoft-entra-id-general-availability-of-passkey-profiles-and-migration-for-existing-passkeys-fido2-tenants-2","title":{"rendered":"MC1221452 | Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1221452 | Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>03\/11\/2026 16:43:56<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>01\/23\/2026 00:54:46<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>08\/31\/2026 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p>Updated March 11, 2026: We have updated the content. Thank you for your patience.<\/p>\n<p><b>[Introduction]<\/b><\/p>\n<p>Starting in <b>March 2026<\/b>, Microsoft Entra ID will introduce <b>passkey profiles  <\/b>and <b>synced passkeys<\/b> to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new  <b>passkeyType<\/b> property.<\/p>\n<p><b>Important:<\/b> Only tenants that <b>already have Passkeys (FIDO2) enabled<\/b> are affected by this update.&nbsp;<\/p>\n<p>  <\/p>\n<p>  <\/p>\n<p>  <\/p>\n<p>The <b>passkeyType<\/b>&nbsp;property enables admins to configure:<\/p>\n<ul>\n<li>Device-bound passkeys<\/li>\n<li>Synced passkeys<\/li>\n<li>Both<\/li>\n<\/ul>\n<p>If your tenant already has Passkeys (FIDO2) enabled and you do not opt in to passkey profiles during the initial rollout window, your tenant will be automatically migrated to the passkey profiles schema at the date range specified below. When this occurs:&nbsp;<\/p>\n<ul>\n<li>Existing Passkey (FIDO2) authentication method configurations will be moved into a  <b>Default passkey profile.<\/b>&nbsp;<\/li>\n<li>The <b>passkeyType<\/b> value will be set based on the tenant\u2019s current attestation settings.<\/li>\n<li>For tenants that have synced passkeys enabled, <b>Microsoft-managed<\/b> registration campaigns will update to target passkeys.<\/li>\n<li>No new authentication methods are enabled as part of this migration.&nbsp;<\/li>\n<\/ul>\n<p><b>Authentication Methods Registration Campaign changes (Microsoft-Managed Only)<\/b><\/p>\n<p>For tenants with passkeys (FIDO2) enabled and active Authentication methods registration campaign set to \u201cMicrosoft-managed\u201d state, the registration campaign settings may change after passkey profile automatic migration.&nbsp;<\/p>\n<p><b>[When this will happen]<\/b><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li><b>General Availability (Worldwide):<\/b> Rollout begins in<b> early March 2026  <\/b>and is expected to complete by<b> late March 2026<\/b>.\n<ul>\n<li><b>Automatic migration for existing Passkeys (FIDO2) enabled tenants (Worldwide):<\/b> Rollout begins in  <b>early April 2026<\/b> and is expected to complete by<b> late May 2026<\/b>.<\/li>\n<\/ul>\n<\/li>\n<li><b>General Availability (GCC, GCC High, and DoD): <\/b>Rollout begins in<b> early April 2026  <\/b>and is expected to complete by<b> late April 2026.<\/b>\n<ul>\n<li><b>Automatic migration for existing Passkeys (FIDO2) enabled tenants (GCC, GCC High, and DoD):  <\/b>Rollout begins in<b> early June 2026 <\/b>and is expected to complete by<b> late June 2026.&nbsp;<\/b><\/li>\n<\/ul>\n<\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<p><b>[How this affects your organization]<\/b><\/p>\n<p>  <\/p>\n<p><i>Who is affected: <\/i>Microsoft Entra ID tenants with Passkeys (FIDO2) enabled<\/p>\n<p>  <\/p>\n<p><i>What will happen:<\/i><\/p>\n<p>If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles.<\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>Your existing Passkey (FIDO2) configurations will be migrated into a <b>Default passkey profile<\/b><\/li>\n<li>New <b>passkeyType <\/b>property will be auto-populated\n<ul>\n<li>If <b>enforce attestation <\/b>is <b>enabled<\/b>, then device-bound allowed<\/li>\n<li>If <b>enforce attestation <\/b>is <b>disabled<\/b>, then device-bound and synced allowed<\/li>\n<\/ul>\n<\/li>\n<li>Any existing <b>key restrictions <\/b>will remain intact<\/li>\n<li>Any existing <b>user targets <\/b>will be assigned to the <b>Default passkey profile<\/b><\/li>\n<\/ul>\n<p><b>[Who is affected for Authentication Methods Registration Campaign changes:]<\/b><\/p>\n<p>Microsoft Entra ID tenants with passkeys (FIDO2) enabled and active Authentication methods registration campaign set to \u201cMicrosoft-managed\u201d state.<\/p>\n<p><i>What will happen:<\/i><\/p>\n<p>If your tenant has passkey profiles that allow both device-bound and synced passkeys, does not have attestation enforcement, and does not have AAGUID\u2011specific key restrictions, your Microsoft-managed registration campaign settings will be updated.<\/p>\n<p>Resulting Microsoft-managed registration campaign changes:<\/p>\n<ul>\n<li>&#8220;Targeted authentication method\u201d will change from Microsoft Authenticator to \u201cpasskeys (FIDO2)\u201d.<\/li>\n<li>\u201cDays allowed to snooze\u201d setting will change from 3days to \u201c1 day\u201d. This setting will no longer be configurable.<\/li>\n<li>\u201cLimited number of snoozes\u201d setting will change from Enabled to &#8220;Disabled\u201d. This setting will no longer be configurable.<\/li>\n<li>The default user targeting will be updated from voice call or text message users to all multifactor authentication (MFA) capable users.&nbsp;<\/li>\n<\/ul>\n<p>What is the end user impact:<\/p>\n<p>Once the above changes have taken effect, users targeted in the registration campaign will begin to receive passkey registration nudges during sign-in flows after they have completed multifactor authentication.<\/p>\n<ul>  <\/ul>\n<p><b>[What you can do to prepare]<\/b><\/p>\n<p>If you want a configuration different from the migration defaults, review the timeline above and opt in to passkey profiles  <b>before your tenant\u2019s automatic enablement window begins<\/b>. Then configure the Default passkey profile\u2019s<b> passkeyType<\/b> to your preferred values.<\/p>\n<p>We also recommend:<\/p>\n<ul>\n<li>Review your <b>registration campaign <\/b>configuration,<b> especially if its set to Microsoft-managed<\/b>. If you want synced passkeys enabled in your tenant but do not want registration campaign to target passkeys, you can:&nbsp;\n<ul>\n<li>Switch the registration campaign state to<b><i> Enabled<\/i><\/b> and continue targeting Microsoft Authenticator, or&nbsp;<\/li>\n<li>Set the registration campaign state to <b><i>Disabled<\/i><\/b>.<\/li>\n<\/ul>\n<\/li>\n<li>Update runbooks and help content so your help desk and end users understand any changes in passkey availability or behavior.&nbsp;<\/li>\n<\/ul>\n<p>Learn more:<\/p>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/authentication\/how-to-authentication-passkey-profiles\" target=\"_blank\">How to Enable Passkey (FIDO2) Profiles in Microsoft Entra ID (preview) &#8211; Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/authentication\/how-to-authentication-synced-passkeys\" target=\"_blank\">How to Enable Synced Passkeys (FIDO2) in Microsoft Entra ID (preview) &#8211; Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/authentication\/how-to-mfa-registration-campaign\" target=\"_blank\">How to run a registration campaign to set up Microsoft Authenticator &#8211; Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/authentication\/synced-passkey-faq\" target=\"_blank\">Synced passkeys FAQ &#8211; Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<\/ul>\n<p>  <\/p>\n<p><b>[Compliance considerations]<\/b><\/p>\n<p>  <\/p>\n<p>No compliance considerations identified. Review as appropriate for your organization.<\/p>\n<p>  <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1221452 | Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys ( [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15323","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/15323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=15323"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/15323\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=15323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=15323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=15323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}