Passkeys Aren’t Enough: Why Enforcement Matters in Entra ID

Implementing passkeys in Microsoft Entra is far more than simply enabling a new authentication method. A successful passkey rollout requires careful planning and coordination. One of the most important aspects of a passkey deployment is using Conditional Access to enforce their use. This article isn’t about how to turn passkeys on but about what tends to go wrong after you do.

Downgrade attacks don’t feel like attacks — that’s the problem

Once registered, passkeys are just another method of authentication available to the user. Without Conditional Access, there is nothing stopping a user from returning to the comfort of their password and SMS. From a security perspective, this is typically referred to as a downgrade attack. It sounds fancy, but put simply, a downgrade attack is the existence of a less secure authentication method registered for an account. Attackers have advanced toolkits to detect and exploit this behavior but from an end user perspective, it’s easily understood as the “sign in another way” link.

Authentication Strengths: where most deployments stop too early

The administrative controls to change this default behavior are Conditional Access and Authentication Strengths. I see a lot of organizations that use the Multifactor authentication built-in authentication strength and that’s only the ones that have actually migrated away from the old Require multifactor authentication grant access control in Conditional Access.

Yes, passkeys satisfy these controls but using a more strict authentication strength is how you enforce only the use of passkeys or other strong authentication methods. The other two built-in authentication strengths: Passwordless MFA and Phishing-resistant MFA, is a fair place to start but using custom authentication strengths (discussed later) allows for more control. Authentication strengths lay the foundation for Conditional Access policies.

Start with a baseline policy

Conditional Access policies grant access controls include the option for Require authentication strength which lists all configured authentication strengths, both built-in and custom. A good baseline policy to enforce passkey usage begins by targeting a security group comprised of pilot users who have registered a passkey.

Start out with this policy in report-only mode and monitor sign-in activity. Once you’re ready to turn it on, this policy sets the groundwork and allows for the coordinated expansion of passkey usage in the organization. Starting with a small pilot group builds stakeholder confidence and keeps the scope narrow. As more users enroll passkeys, you slowly increase the users affected by this policy. Administrative accounts however, must follow a different path.

Strictly secure administrative accounts

A far too common theme I see in Entra tenants is a lack of administrative account protections. Considerations for administrative identities accessing the Microsoft cloud must be more stringent. As with the baseline policy, the foundation begins with the authentication strength. Configure a custom authentication strength for administrators that accepts only passkeys. The custom authentication strength should ideally limit passkeys to a specific vendor or type by adding only approved AAGUIDs.

The administrative Conditional Access policy will target only administrative accounts, enforcing the more strict passkey requirements for administrative access to the environment. Apply additional security conditions for trusted networks, or requiring compliant/hybrid device to administrators by using separate policies. This keeps the passkey policy clean and easy to troubleshoot.

Enforcement is where the value shows up

Passkeys are a complex technology that is ever changing, especially in the Microsoft stack. Leveling up security to support passkeys is not enough. Allowing passkeys without enforcement is like dead bolting the front door, but leaving the windows open. Enforcement is where the benefit truly lies and it begins with hardened Conditional Access.