Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreieviv4jktsd2cvbmf27oehnxbfxcqlwdmllkxytdeoqa2ho6sd7he",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mh7rjep4fn22"
  },
  "description": "Starting April 2026, Microsoft Registration Campaigns will support Passkeys (FIDO2) as an additional authentication method, enabling phishing-resistant credentials. Eligible Microsoft 365 tenants can opt users into Passkey registration nudges during sign-in. Changes will roll out gradually, affec...",
  "path": "/m365-message-center/message/mc1253746/",
  "publishedAt": "2026-03-17T01:00:10.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "passkey profile restrictions",
    "How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn"
  ],
  "textContent": "**[Introduction]**\n\nAs previously announced in _MC1221452_ ,**Microsoft Registration Campaigns** will support **Passkeys (FIDO2)** as an **additional authentication method** starting in early April 2026. This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.\n\n**[When this will happen]**\n\n**General Availability (Worldwide):** We will begin rolling out in **early April 2026** and expect to complete in**late May 2026**.\n\n**[How this affects your organization]**\n\n_Who is affected_\n\n  * Microsoft 365 tenants using Microsoft Registration Campaigns\n  * Tenants configured in either **Microsoft‑managed** or **Enabled** states\n  * Users who are **MFA‑capable** and**eligible for Passkeys (FIDO2)**\n\n\n\n_What will happen_\n\n** _Microsoft‑managed state_**\n\nYour tenant will be impacted **when all of the following conditions are met:**\n\n  * The **Passkeys (FIDO2) authentication method policy** is enabled.\n  * **Allow self‑service setup** is enabled.\n  * **_Target specific AAGUIDs_** is **not** selected (no AAGUID restrictions configured).\n  * The **Authentication Methods Registration Campaign** state is set to **_Microsoft‑managed_**.\n\n\n\nWhen these conditions are met, the following settings will update automatically:\n\n  * The targeted**authentication method** will change from **Microsoft Authenticator** to **Passkeys (FIDO2).**\n  * **_Days allowed to snooze_** will change from three days to **one day.**(This setting will no longer be configurable.)\n  * **_Limit number of snoozes_** will be **disabled.**(This setting will no longer be configurable.)\n  * Targeting will expand to **all MFA‑capable users**. (This setting will no longer be configurable.)\n  * Default user targeting will change from **voice call or text message users** to **all multifactor authentication (MFA)–capable users**.\n\n\n\nAffected users will receive Passkey registration nudges at sign‑in after completing MFA.\n\nWe will roll out these changes incrementally over time to in‑scope tenants.\n\n**_Enabled state_**\n\nPasskey (FIDO2) can be selected as the Targeted Authentication Method when Microsoft Registration Campaigns are in the Enabled state.\n\n _Note: Registration Campaigns support targeting only one authentication method at a time—either Microsoft Authenticator or Passkeys (FIDO2), but not both simultaneously._\n\n**[What you can do to prepare]**\n\n**Opting into Passkey Registration Nudges:**\n\nYou can opt into Passkeys and switch your users to receive a **Passkey registration nudge**. However, the nudge will only appear for the user if **all** of the following conditions are met:\n\n  * The user is **MFA‑capable**\n    * They have at least one registered MFA method\n    * They can successfully complete MFA at sign‑in\n  * Unde**r Authentication methods > Policies,** the**user is in scope for Passkeys (FIDO2)**\n  * Under **Authentication methods > Policies > Passkeys (FIDO2) > Configure**, make sure you have **Allow self-service set up** checked.\n\n\n\n**Important Guidance:**\n\n**_Microsoft Managed State:_**\n\nWe will roll out these changes incrementally to in-scope tenants starting in early April. This rollout will take time, and even if your tenant meets the eligibility criteria, you may not see the changes immediately.\n\n** _Enabled State_**\n\nOver time, we will incrementally refine the logic for Passkeys nudges in _Microsoft Registration Campaigns_ to guide users toward the appropriate passkey registration experience based on their passkey profile scope. Initially, the logic may not account for every edge‑case scenario, but we are actively expanding and improving it on an ongoing basis. When users have passkey profile restrictions (for example, AAGUID restrictions), the registration experience triggered by the nudge may not be optimal.\n\n**Using Passkeys Despite Restrictions**\n\nYou can still set Passkeys as the target authentication method in Microsoft Registration Campaigns. However, users may encounter a poor or confusing experience if they have passkey profile restrictions.\n\n**Example:**\n\nIf a user is scoped into specific **AAGUID synced passkeys only** , they may see a Passkey nudge at sign‑in. If they attempt to register a **device‑bound passkey,** the registration will fail because they are not in scope for that passkey type.\n\n**Recommended next steps**\n\n\n\n\n  * Review your Registration Campaign state by **early April 2026**.\n  * Communicate this change to helpdesk or support teams.\n  * Update internal documentation on authentication method enrollment.\n  * If you prefer to continue targeting Microsoft Authenticator, verify this configuration before rollout.\n\n\n\n**Learn more:** How to enable passkey (FIDO2) profiles in Microsoft Entra ID (preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn",
  "title": "MC1253746: Microsoft Entra: Passkeys in Microsoft registration campaigns",
  "updatedAt": "2026-03-17T01:00:10.585Z"
}