Microsoft to roll out Entra passkeys on Windows in late April
Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April.
The feature is expected to reach general availability by mid-June 2026 and will also extend passwordless sign-in to unmanaged Windows devices.
Microsoft says that Entra passkeys on Windows will support corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies.
“Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft said in a message center update.
“This expands passwordless authentication support to Windows devices that aren’t Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios.”
The new security feature will be available in organizations that have enabled ‘Microsoft Entra ID with passkeys’ in the ‘Authentication Methods policy’ for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e.g., from corporate‑managed, personal, or shared devices).
It also enables the creation of FIDO2 passkeys stored in a secure local credential container that can only be used for authentication to Microsoft Entra ID via Windows Hello using facial recognition, fingerprint, or PIN (unlike Windows Hello for Business, which also enables device sign-ins).
| Feature | Microsoft Entra passkey on Windows | Windows Hello for Business |
|---|---|---|
| Standard base | FIDO2 | FIDO2 for authentication, first-party (1P) protocol for device sign-in |
| Registration | User-initiated, doesn’t require device join or registration | Automatically provisioned on some Microsoft Entra joined or registered devices during device registration |
| Device sign-in and single sign-on (SSO) | N/A | Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in |
| Credential binding | Bound to the device and stored in the local Windows Hello container. Users can register multiple passkeys for multiple work or school accounts on the same device. | Primarily a device-bound sign-in method linked to device trust. The credential is tied only to the work or school account used to register the device. |
| Management | Microsoft Entra ID Authentication methods policy | Microsoft Intune Group Policy |
Additionally, passkeys are cryptographically bound to each device and never transmitted over the network, so attackers can’t steal them during phishing or malware attacks to bypass multifactor authentication.
While Microsoft didn’t share why this feature was added, Microsoft Entra passkeys on Windows close a security gap that previously left personal and shared devices reliant on password-based Microsoft Entra ID authentication.
In recent months, threat actors have heavily targeted Microsoft Entra single sign-on (SSO) accounts using stolen credentials in a wave of recent SaaS data-theft attacks.
BleepingComputer reached out to Microsoft for more details, but a response was not immediately available.
In October 2024, Microsoft said it would also improve security across Entra tenants by making multifactor authentication (MFA) registration mandatory when security defaults are enabled, as part of the company’s Secure Future Initiative, launched in November 2023, to boost cybersecurity protection across its products.
Additionally, Microsoft announced in May 2025 that all new Microsoft accounts will be “passwordless by default” to protect them against brute-force, credential stuffing, and phishing attacks.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
