Microsoft brings phishing-resistant Windows sign-ins with Entra passkeys

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Microsoft is rolling out Entra passkeys on Windows, giving organizations a new way to offer phishing-resistant, passwordless sign-ins through Windows Hello. The feature lets users sign in to Entra-protected resources with a face scan, fingerprint, or PIN, while storing the passkey inside the Windows Hello container on the device.

This update matters because it expands passwordless sign-ins beyond managed corporate machines. Microsoft says the new support also works on Windows devices that are not Entra-joined or registered, which closes an important gap for shared PCs, personal laptops, and bring-your-own-device setups that still often rely on passwords.

Microsoft says the rollout is opt-in and will enter public preview for worldwide tenants from mid-March through late April 2026. Government cloud environments, including GCC, GCC High, and DoD, are scheduled to follow from mid-April through mid-May.

The security pitch is straightforward. These passkeys are device-bound, which means the credential stays tied to the Windows device and does not get sent across the network during authentication. That makes them far harder to steal through phishing pages and much less useful to attackers trying to bypass weaker multi-factor sign-in flows.

Microsoft also says each Entra account registers its own passkey on each device. A single Windows PC can store passkeys for multiple Entra accounts, but those passkeys do not sync across devices, so users must register separately on every machine they use.

For IT teams, the feature will require setup before users can start enrolling. Microsoft says administrators need to enable the Passkeys (FIDO2) authentication method, create a passkey profile that includes the required Windows Hello AAGUIDs, and assign it to the right groups.

This rollout also fits into Microsoft’s broader passwordless push. In May 2025, the company announced that new Microsoft accounts would be passwordless by default, and in May 2024 it introduced passkey support for consumer Microsoft accounts across Windows and other platforms.

For organizations that want stronger sign-ins without forcing users onto security keys for every workflow, Entra passkeys on Windows could become a practical middle ground. The biggest value may be on unmanaged Windows devices, where passwordless support has often lagged behind the security options available on fully managed enterprise endpoints.

Entra passkeys on Windows at a glance

ItemWhat Microsoft is adding
FeatureMicrosoft Entra passkeys on Windows
Sign-in methodWindows Hello face, fingerprint, or PIN
Main benefitPhishing-resistant passwordless sign-in
Device typeManaged and unmanaged Windows devices
StorageDevice-bound passkeys in the Windows Hello container
RolloutPublic preview starts mid-March 2026 for worldwide tenants
Admin requirementOpt-in setup through Entra authentication policies

Source basis: Microsoft 365 Message Center and Microsoft documentation.

Why this matters

  • It reduces reliance on passwords for Windows sign-ins.
  • It brings phishing-resistant sign-ins to unmanaged Windows devices.
  • It keeps the passkey bound to the device instead of sending it over the network.
  • It gives IT admins another passwordless option inside the Entra ecosystem.

What admins need to do

  • Enable <strong>Passkeys (FIDO2)</strong> in Entra authentication methods policies.
  • Create a Windows passkey profile with the required Windows Hello AAGUIDs.
  • Assign the profile to the correct user groups.
  • Pilot the feature before broad deployment. This last step is a practical recommendation based on the preview status.

FAQ

What are Microsoft Entra passkeys on Windows?

They are device-bound passkeys stored in the Windows Hello container that let users sign in to Entra-protected resources with Windows Hello instead of a password.

Why are they called phishing-resistant?

Because the credential stays on the device and is not transmitted like a password, which makes standard phishing attacks far less effective.

Will this work on personal or shared Windows devices?

Yes. Microsoft says the feature extends passwordless authentication to Windows devices that are not Entra-joined or registered.

Can users sync these passkeys across devices?

No. Microsoft says the passkeys are device-bound, so each Entra account needs separate registration on each device.

Is this enabled automatically for every organization?

No. Microsoft says the feature is opt-in and requires admin configuration in Entra.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages