Microsoft Entra ID to Add Granular Passkey Profiles for Enhanced Authentication Control

Microsoft is getting ready to expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID next month. The upcoming public preview will introduce support for passkey profiles that enable granular, group-based authentication controls across organizations.

Currently, Microsoft Entra ID allows administrators to manage passkey authentication settings at the tenant-wide level. This means that the same configuration applies to all users across the organization.

How do the new passkey profiles improve authentication management?

According to Microsoft, this new feature will allow organizations to create and manage up to ten distinct passkey profiles within a single tenant. This change will give more granular control, allowing admins to define different passkey rules for different user groups. For instance, administrators will be able to enable certain types of passkeys for executives while applying stricter controls for IT staff.

“As part of this update in November 2025, if Enforce attestation is disabled, we will start accepting security key or passkey providers using the following attestation statements: “none,” “tpm,” “packed” (AttCA type only), and Custom attestation formats ≤ 32 characters. This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID,” the company explained on the Microsoft 365 admin center.

Microsoft plans to begin rolling out this update in public preview in early November 2025. Administrators will be able to access these new settings at Microsoft 365 admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings.

Potential security implications for enterprise environments

The upcoming change to Microsoft Entra ID’s passkey authentication will introduce a new schema that allows for multiple passkey profiles per tenant, which offers more flexibility in managing user access. However, when a tenant opts into this new model, the system automatically converts existing settings into a default profile.

If the “Enforce attestation” setting is disabled, Microsoft Entra ID will begin accepting a broader range of passkeys, including those with minimal or generic attestation statements. This change could reduce the strictness of authentication controls and potentially allow less secure or unverified passkeys to be used.

In enterprise environments, organizations typically enforce the use of specific FIDO2 keys by referencing their unique Authenticator Attestation GUIDs (AAGUIDs). The relaxed attestation policy under the new schema could bypass these protections, which makes it harder to maintain strict device-level authentication standards.