Microsoft Entra passkeys for Windows arriving late April
▼ Summary
– Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra-protected resources from Windows devices starting late April, with general availability expected by mid-June 2026.
– The feature extends passwordless sign-in to unmanaged Windows devices, including personal and shared devices, and supports corporate, personal, and shared device scenarios.
– Users can create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods like face, fingerprint, or PIN.
– Passkeys are cryptographically bound to each device and never transmitted over the network, preventing theft during phishing or malware attacks.
– This feature closes a security gap that previously left personal and shared devices reliant on password-based Microsoft Entra ID authentication.
Microsoft is set to launch passkey support for phishing-resistant passwordless authentication on Windows devices later this month, targeting Microsoft Entra-protected resources. The rollout is scheduled to begin in late April, with general availability expected by mid-June 2026. This update will also enable passwordless sign-in on unmanaged Windows devices, broadening the scope of secure access.
According to Microsoft, Entra passkeys on Windows will work across corporate, personal, and shared devices, with IT administrators maintaining control through Conditional Access and Authentication Methods policies. The company explained in a message center update that users can create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods such as face, fingerprint, or PIN. This extends passwordless authentication to Windows devices that are not Microsoft Entra-joined or registered, helping organizations bolster security and reduce password reliance across various device scenarios.
The feature will be available in organizations that have enabled “Microsoft Entra ID with passkeys” in the Authentication Methods policy. It applies to users signing in to Windows devices not already joined or registered with Microsoft Entra ID, provided Conditional Access policies permit access from corporate-managed, personal, or shared devices.
A key distinction is that Microsoft Entra passkeys allow the creation of FIDO2 passkeys stored in a secure local credential container. These passkeys are used exclusively for authentication to Microsoft Entra ID via Windows Hello, using facial recognition, fingerprint, or PIN. This differs from Windows Hello for Business, which also supports device sign-ins. The table below highlights the differences:
- Feature: Microsoft Entra passkey on Windows vs. Windows Hello for BusinessImportantly, passkeys are cryptographically bound to each device and never transmitted over the network. This design prevents attackers from stealing them during phishing or malware attacks to bypass multifactor authentication.While Microsoft did not specify the exact reason for adding this feature, Microsoft Entra passkeys on Windows close a security gap that previously left personal and shared devices dependent on password-based Microsoft Entra ID authentication. This vulnerability has been exploited in recent months, with threat actors targeting Microsoft Entra single sign-on (SSO) accounts using stolen credentials in a wave of SaaS data-theft attacks. BleepingComputer reached out to Microsoft for further comment but did not receive an immediate response.In related security efforts, Microsoft announced in October 2024 that it would improve Entra tenant security by making multifactor authentication (MFA) registration mandatory when security defaults are enabled, part of the Secure Future Initiative launched in November 2023. Additionally, in May 2025, the company revealed that all new Microsoft accounts would be “passwordless by default” to protect against brute-force, credential stuffing, and phishing attacks.
