Microsoft to roll out Entra passkeys on Windows in late April
Source: Bleeping Computer
Overview
Microsoft will roll out passkey support for phishing‑resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April. The feature is expected to reach general availability by mid‑June 2026 and will also extend passwordless sign‑in to unmanaged Windows devices.
Entra passkeys on Windows will support corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies.
“Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft said in a Message Center update.
“This expands passwordless authentication support to Windows devices that aren’t Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios.”
The new security feature will be available in organizations that have enabled Microsoft Entra ID with passkeys in the Authentication Methods policy for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e.g., from corporate‑managed, personal, or shared devices).
It also enables the creation of FIDO2 passkeys stored in a secure local credential container that can only be used for authentication to Microsoft Entra ID via Windows Hello (facial recognition, fingerprint, or PIN). This differs from Windows Hello for Business, which also enables device sign‑ins.
Feature comparison
| Feature | Microsoft Entra passkey on Windows | Windows Hello for Business |
|---|---|---|
| Standard base | FIDO2 | FIDO2 for authentication, first‑party (1P) protocol for device sign‑in |
| Registration | User‑initiated; doesn’t require device join or registration. Automatically provisioned on some Entra‑joined or registered devices during device registration. | Same |
| Device sign‑in & SSO | N/A | Enables device sign‑in and SSO to Microsoft Entra‑integrated resources after device sign‑in |
| Credential binding | Bound to the device and stored in the local Windows Hello container. Users can register multiple passkeys for multiple work or school accounts on the same device. | Primarily a device‑bound sign‑in method linked to device trust. Credential tied only to the work or school account used to register the device. |
| Management | Microsoft Entra ID Authentication methods policy, Microsoft Intune, Group Policy | Same |
Security benefits
- Passkeys are cryptographically bound to each device and never transmitted over the network, preventing attackers from stealing them during phishing or malware attacks.
- Closes a security gap that previously left personal and shared devices reliant on password‑based Microsoft Entra ID authentication.
Recent threat landscape
In recent months, threat actors have heavily targeted Microsoft Entra single sign‑on (SSO) accounts using stolen credentials in a wave of SaaS data‑theft attacks:
- Hackers target Microsoft Entra accounts in device‑code vishing attacks
- ShinyHunters claim to be behind SSO account data‑theft attacks
- Mandiant details how ShinyHunters abuse SSO to steal cloud data
BleepingComputer reached out to Microsoft for more details, but a response was not immediately available.
Related security updates
-
In October 2024, Microsoft announced that MFA registration would become mandatory when security defaults are enabled, as part of the Secure Future Initiative launched in November 2023.
Microsoft Entra security defaults to make MFA setup mandatory -
In May 2025, Microsoft announced that all new Microsoft accounts will be “passwordless by default” to protect against brute‑force, credential‑stuffing, and phishing attacks.
Microsoft makes all new accounts passwordless by default
(image retained for context)