Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiguktzp7s22zmbeeoc3dv3uqykeeexptg6b25oyesunfml4ineewq",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mjg37574k2x2"
  },
  "description": "Microsoft Entra updates Passkeys (FIDO2) support in Authentication Methods Registration Campaigns, delaying Enabled state availability and introducing Passkeys in Microsoft-managed state for eligible tenants starting mid-May 2026. Eligible tenants will see automatic campaign setting changes; no i...",
  "path": "/m365-message-center/message/mc1279092/",
  "publishedAt": "2026-04-14T00:00:06.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "MC1253746."
  ],
  "textContent": "**[Introduction]**\n\nWe are making an update to Passkeys (FIDO2) support within Microsoft Entra Authentication Methods Registration Campaigns.\n\nBased on ongoing improvements to passkey registration nudge logic and user experience behavior, Passkeys (FIDO2) will no longer move forward to General Availability as the targeted authentication method for Registration Campaigns in the**Enabled state** as previously communicated in MC1253746. \n\nInstead, we are continuing to refine the eligibility logic that determines when users receive passkey registration nudges during sign-in. In the interim, Passkey (FIDO2) will move forward as the targeted authentication method for Registration Campaigns in the **Microsoft Managed state** for tenants that meet our in-scope criteria.\n\n**[When this will happen]**\n\n  * **General Availability (Worldwide)** : Rollout will begin in **mid‑May 2026** to Microsoft Managed state and is expected to complete by**late June 2026**.\n\n\n\n**[How this affects your organization]**\n\n_Who is affected_\n\n  * Microsoft Entra tenants using **Authentication Methods Registration Campaigns**\n  * Tenants with **Passkeys (FIDO2)** enabled\n  * Only tenants that meet the Microsoft‑managed eligibility criteria described below\n\n\n\n _What will happen_\n\n**Enabled state**\n\n  * Passkeys (FIDO2) will **not** be supported as the targeted authentication method for Registration Campaigns in the **_Enabled_** state at this time.\n  * We are continuing to improve registration campaign nudge behavior and eligibility logic to better align with passkey configuration and profile scope.\n  * Further updates will be shared when support for the Enabled state becomes available.\n\n\n\n**Microsoft‑managed state**\n\n  * Passkeys (FIDO2) will be introduced as the targeted authentication method in the**Microsoft‑managed** state for eligible tenants.\n\n\n\nTenants are impacted when **all** of the following conditions are met:\n\n  * The **Passkeys (FIDO2)** authentication method policy is**_Enabled_**.\n  * **Allow self‑service setup** is** _Enabled_**.\n  * **Target specific AAGUIDs** is **not** selected (no AAGUID restrictions configured).\n  * The Authentication Methods Registration Campaign state is set to **Microsoft‑managed**.\n  * The tenant has at least one user enabled for **both synced passkeys and device‑bound passkeys**.\n\n\n\nOnly users who are enabled for **both synced and device‑bound passkeys** , with **no passkey profile restrictions** configured****(for example, attestation enforcement or AAGUID restrictions), will receive a passkey registration nudge during sign‑in.\n\nFor impacted tenants, the following Registration Campaign settings will be automatically updated:\n\n  * **Targeted authentication method** changes from Microsoft Authenticator to Passkeys (FIDO2).\n  * **Days allowed to snooze** changes from 3 days to 1 day (no longer configurable).\n  * **Limited number of snoozes** changes from _**** Enabled _to _Disabled_ (no longer configurable).\n  * **Default user targeting** changes from voice call or text message users to all MFA‑capable users.\n\n\n\nAfter these changes take effect, targeted users will begin receiving passkey registration nudges during sign‑in **after completing multifactor authentication**.\n\nRollout will occur incrementally across eligible Microsoft Entra tenants.\n\n**[What you can do to prepare]**\n\nNo action is required at this time.\n\nIf you plan to enable passkey registration nudges in the future:\n\n  * Ensure users are enabled for **both synced and device‑bound passkeys**.\n  * Remove any **passkey profile restrictions**(such as AAGUID or attestation requirements).\n  * Set your Authentication Methods Registration Campaign to **Microsoft‑managed**.\n\n\n\n**[Compliance considerations]**\n\n**Question**| **Answer**\n---|---\nDoes the change include an admin control, and can it be controlled through Microsoft Entra settings?| Yes. This change is governed by existing Microsoft Entra Authentication Methods policies and Authentication Methods Registration Campaign configuration. Administrators control whether passkey registration nudges are delivered by enabling passkeys, configuring self‑service setup, and setting the registration campaign to the Microsoft‑managed state.",
  "title": "MC1279092: Microsoft Entra: Passkeys in registration campaigns update",
  "updatedAt": "2026-04-14T00:00:06.609Z"
}