Microsoft Introduces Entra Passkeys on Windows to Enable Passwordless Sign‑In

Microsoft is adding support for Microsoft Entra passkeys on Windows to enhance security with phishing-resistant, passwordless access to Entra-protected cloud resources. The feature leverages Windows Hello (including face recognition, fingerprint, or PIN) to securely store and use passkeys directly on the device for seamless sign-in.

Microsoft Entra passkeys are a passwordless sign‑in method that lets users securely access Entra‑protected apps and services without typing a password. Instead of shared secrets, passkeys use public‑key cryptography and are stored safely on a user’s device, which allows sign‑in through Windows Hello methods like face recognition, fingerprint, or a PIN. This makes authentication more resistant to phishing and credential theft while simplifying the user experience.

Expanding security to unmanaged devices

According to Microsoft, this update brings passwordless authentication to unmanaged Windows PCs. It addresses a long‑standing limitation where personal and shared devices had to depend on traditional passwords.

“This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). It also expands passwordless authentication to Windows devices that aren’t Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords,” the company explained on the Microsoft 365 admin center.

Microsoft mentioned that a single Windows device can store multiple passkeys, one per Entra account. However, passkeys are device‑bound and do not sync between devices. This means that each device must be registered separately per Microsoft Entra account.

Additionally, Windows Hello for Business continues to be the preferred option for managed, Entra‑joined, or registered devices. Moreover, passkeys are intended to complement it by enabling secure access from unmanaged PCs and are not designed for device sign‑in. Microsoft notes that Conditional Access and authentication strength policies continue to apply without changes unless passkeys are enabled.

How to enable Microsoft Entra passkeys on Windows?

To enable Entra passkeys on Windows, administrators will need to enable the Passkeys (FIDO2) authentication method in the Authentication Methods policies. They will create a passkey profile with the required Windows Hello AAGUIDs and assign it to the appropriate groups.

Microsoft Entra passkeys support on Windows will begin rolling out in public preview later this month. This feature is expected to be generally available for commercial customers in mid-April. It remains disabled unless an organization deliberately chooses to opt in.

Lastly, Microsoft notes that passkeys do not replace Windows Hello for Business on managed devices and cannot be used for device sign‑in. Customers generally cannot register a passkey if a Windows Hello for Business credential already exists for the same account, with limited exceptions at very high credential counts.