Microsoft is introducing passkey support for Microsoft Entra on Windows devices, bringing phishing-resistant passwordless authentication through Windows Hello.
The new feature will be available as an optional public preview starting from mid-March through late April 2026 for organizations worldwide. Microsoft also confirmed that government cloud environments, including GCC, GCC High, and DoD, will receive the rollout slightly later, between mid-April and mid-May.
One of the biggest changes is that passwordless authentication will now work on unmanaged Windows devices. Previously, personal or shared devices that were not connected to an organization’s Entra environment still depended on traditional passwords. With this update, users on those devices can sign in securely without using passwords.
Microsoft says users will be able to create device-bound passkeys stored in the Windows Hello security container. Authentication will then happen through Windows Hello methods such as facial recognition, fingerprint scanning, or a PIN.
Because passkeys are cryptographically tied to the device, they are never transmitted over the network. This design prevents attackers from stealing credentials through phishing, malware, or other methods often used to bypass multi-factor authentication.
Each Entra account will create its own passkey on every device it is used on. Multiple accounts can exist on the same computer, but passkeys cannot be synced across devices. As a result, users will need to register a separate passkey for each device.
Organizations that want to participate in the public preview must enable the Passkeys FIDO2 authentication method within Entra’s Authentication Methods policies. IT administrators will also need to create a passkey profile with the appropriate Windows Hello AAGUID identifiers and assign it to user groups.
Microsoft noted that Windows Hello for Business will remain the recommended authentication method for managed devices that are Entra-joined or registered. The new passkeys are designed mainly for unmanaged devices and cannot be used for signing into the device itself.
There is also a limitation when Windows Hello for Business credentials already exist in the same container for an account. In those cases, users will not be able to register a passkey. However, this restriction may change once a user exceeds 50 credentials across passkeys, Windows Hello for Business, and Mac platform credentials.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Microsoft has been steadily pushing toward a passwordless future. In May 2025, the company announced that all new Microsoft accounts would be passwordless by default to reduce risks from phishing, brute force attacks, and credential stuffing. Earlier, Microsoft also introduced passkey support for personal Microsoft accounts along with a built-in passkey manager in Windows 11.
