Microsoft has begun rolling out passkey support for Entra ID, the cloud-based identity and access management platform at the centre of many corporate networks, in a move the company says will eliminate the single largest attack surface still facing enterprise customers: the password.
The phased deployment, confirmed by the company’s identity division late Tuesday, allows IT administrators to replace conventional passwords and even time-based one-time codes with FIDO2-compliant passkeys that are resistant to phishing, credential stuffing and replay attacks. Once enabled, staff can sign in to Windows 11, Microsoft 365 and line-of-business applications by presenting a biometric or PIN to a built-in Trusted Platform Module, YubiKey-style security key or the Microsoft Authenticator app.
“This is not another optional layer,” Alex Simons, corporate vice-president of program management for Microsoft Identity, told iTnews. “We are making it possible to remove passwords entirely from the authentication flow for Entra ID accounts, while preserving all conditional-access policies and compliance reporting enterprises rely on.”
The announcement lands amid growing board-level anxiety over credential theft. According to Microsoft’s own 2026 Security Insights Report, 85 % of all identity-based breaches traced back to weak, reused or phished passwords last year, costing Fortune 500 firms an average of US $4.95 million per incident. Redmond argues that by binding credentials to the device through public-key cryptography, passkeys render stolen usernames and passwords worthless to attackers.
Early adopters will notice a new “Passkeys” blade inside the Entra admin centre. From there, security teams can scope the capability to specific user groups, enforce attestation requirements and integrate with existing privileged identity management workflows. End-users enrolling a passkey are guided through a one-time setup that stores the private key in the Windows Hello for Business keystore or an external security key; the public key is registered with Entra ID and synchronised across Azure AD-joined, hybrid and Azure AD-registered devices.
Microsoft is not starting from scratch. The company has offered password-less options for consumer Microsoft accounts since 2021, and Windows Hello for Business has long supported FIDO2. What is different this time is the depth of integration with Entra ID’s conditional-access engine, third-party SaaS apps and the recently announced secure-by-default initiative that mandates phishing-resistant factors for staff with administrative rights.
“We have seen attackers pivot to token theft and session replay once basic multifactor authentication is in place,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said. “Passkeys close that remaining gap by making the authentication bound to the user’s device and non-exportable.”
Third-party password managers are also moving quickly to support the new capability. Bitwarden on Wednesday released a Windows 11 preview that lets enterprises store Entra passkeys in encrypted vaults while enforcing attestation policies, a feature likely to appeal to regulated industries that prohibit cloud-side private-key storage.
Industry analysts say Microsoft’s timing is strategic. Apple and Google have already committed to passkeys, and the trio now accounts for the vast majority of endpoint and browser share. “Interoperability has always been the Achilles heel of FIDO roll-outs,” commented Andrew Barratt, managing director at advisory firm Coalfire. “By baking passkeys into Entra ID, Microsoft is giving CIOs confidence that the same credential can secure Windows, Office, Teams, Power Platform and thousands of SAML/OIDC applications without vendor lock-in.”
Still, the transition will not be instantaneous. Organisations relying on legacy protocols such as IMAP, POP3 or older versions of Exchange ActiveSync will need to disable those services or create exclusion groups, because they cannot negotiate FIDO2 handshakes. Microsoft recommends a phased migration beginning with privileged users and high-risk roles, followed by knowledge workers and, finally, frontline staff who may share devices.
There are also licensing implications. Passkey management is included at no extra cost in Entra ID P1 and P2 subscriptions, but companies on the base Office 365 plan must upgrade to P1 at minimum. Microsoft insists the uplift is offset by reduced help-desk calls; Redmond’s internal IT department reported a 32 % drop in password-related tickets during a 5,000-user pilot.
Privacy advocates have raised questions about telemetry. When a passkey is created, Entra ID logs device model, biometric type and attestation metadata. Microsoft counters that the data is encrypted in transit and at rest, and that EU customers can opt into the EU Data Boundary to ensure keys and logs remain within European borders.
For now, passkeys remain optional, but Microsoft has made clear that the long-term direction is password-less by default. Group policy templates released this week contain a new “DisablePasswordAuth” setting that, when flipped, prevents users from falling back to passwords even if they try. The company expects half of all Entra ID seats to be fully password-less by 2027.
Enterprise customers can begin testing passkeys in the Entra public preview today; general availability is slated for the June quarterly update. Mobile support for iOS and Android follows in August, ensuring that the same credential can unlock Office mobile apps and browser sessions without re-enrolment.
With Apple’s desktop roadmap stuck in neutral until late 2026, Microsoft’s ability to deliver production-ready password-less authentication across Windows, Azure and Office 365 could give it a rare edge in the race to define the next decade of enterprise security.
0 Comments