Microsoft to roll out Entra passkeys on Windows in late April
Microsoft rolls out Entra passkeys on Windows in late April for phishing-resistant authentication.
Summary
Microsoft will begin rolling out passkey support for Microsoft Entra-protected resources from Windows devices in late April 2026, with general availability expected by mid-June. The feature enables phishing-resistant passwordless authentication using Windows Hello methods (face, fingerprint, or PIN) and supports corporate, personal, and shared devices. Passkeys are cryptographically bound to devices and never transmitted over the network, protecting against credential theft and phishing attacks.
Full text
Microsoft to roll out Entra passkeys on Windows in late April By Sergiu Gatlan April 24, 2026 02:13 PM 0 Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April. The feature is expected to reach general availability by mid-June 2026 and will also extend passwordless sign-in to unmanaged Windows devices. Microsoft says that Entra passkeys on Windows will support corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies. "Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN)," Microsoft said in a message center update. "This expands passwordless authentication support to Windows devices that aren't Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios." The new security feature will be available in organizations that have enabled 'Microsoft Entra ID with passkeys' in the 'Authentication Methods policy' for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e.g., from corporate‑managed, personal, or shared devices). It also enables the creation of FIDO2 passkeys stored in a secure local credential container that can only be used for authentication to Microsoft Entra ID via Windows Hello using facial recognition, fingerprint, or PIN (unlike Windows Hello for Business, which also enables device sign-ins). Feature Microsoft Entra passkey on Windows Windows Hello for Business Standard base FIDO2 FIDO2 for authentication, first-party (1P) protocol for device sign-in Registration User-initiated, doesn't require device join or registration Automatically provisioned on some Microsoft Entra joined or registered devices during device registration Device sign-in and single sign-on (SSO) N/A Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in Credential binding Bound to the device and stored in the local Windows Hello container. Users can register multiple passkeys for multiple work or school accounts on the same device. Primarily a device-bound sign-in method linked to device trust. The credential is tied only to the work or school account used to register the device. Management Microsoft Entra ID Authentication methods policy Microsoft Intune Group Policy Additionally, passkeys are cryptographically bound to each device and never transmitted over the network, so attackers can't steal them during phishing or malware attacks to bypass multifactor authentication. While Microsoft didn't share why this feature was added, Microsoft Entra passkeys on Windows close a security gap that previously left personal and shared devices reliant on password-based Microsoft Entra ID authentication. In recent months, threat actors have heavily targeted Microsoft Entra single sign-on (SSO) accounts using stolen credentials in a wave of recent SaaS data-theft attacks. BleepingComputer reached out to Microsoft for more details, but a response was not immediately available. In October 2024, Microsoft said it would also improve security across Entra tenants by making multifactor authentication (MFA) registration mandatory when security defaults are enabled, as part of the company's Secure Future Initiative, launched in November 2023, to boost cybersecurity protection across its products. Additionally, Microsoft announced in May 2025 that all new Microsoft accounts will be "passwordless by default" to protect them against brute-force, credential stuffing, and phishing attacks. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Microsoft brings phishing-resistant Windows sign-ins via Entra passkeysNew KB5085516 emergency update fixes Microsoft account sign-inMicrosoft: March Windows updates break Teams, OneDrive sign-insBitwarden adds support for passkey login on Windows 11Windows 11 KB5074105 update fixes boot, sign-in, and activation issues