Microsoft Entra passkeys are GA: the phishing-resistant rollout plan for Hawaii businesses

Published June 2, 2026 · HI Tech Hui · ~6 min read

Why this matters for Hawaii businesses

Most credential theft we respond to does not break MFA — it walks around it. Adversary-in-the-middle phishing kits relay a one-time code or steal a session token in real time, and the victim never knows. Passkeys close that door: they are cryptographically bound to the relying party, so a credential issued for your Microsoft 365 tenant simply will not work against an attacker’s lookalike page. Microsoft describes passkeys as keys that are “cryptographically bound to each device and never transmitted over the network” (Microsoft Learn).

Until recently, the blocker for managed IT teams was operational, not technical: you could enable passkeys tenant-wide, but you could not easily run a different policy for executives than for frontline staff. That changed in March 2026, when Microsoft moved passkey profiles and synced passkeys to general availability, with group-based configuration and per-group attestation control (Microsoft Entra releases). In May 2026, Microsoft expanded the passkey policy to a dedicated 20 KB allocation and raised the maximum passkey profiles per tenant from 3 to 10 (Microsoft Entra releases). The platform is now ready for a real rollout.

Synced vs. device-bound: pick the right tool per group

Microsoft Entra ID supports two passkey types, and the distinction drives your whole rollout design (Microsoft Learn):

• Device-bound passkeys. The private key is created and stays on one device — a FIDO2 security key or Microsoft Authenticator on iOS/Android. These support attestation, so Entra can verify the authenticator’s make and model against trusted metadata.
• Synced passkeys. The private key is encrypted on the device and synced to a cloud provider such as Apple iCloud Keychain or Google Password Manager, so it follows the user across devices. Synced passkeys do not support attestation; Microsoft advises treating them “as phishing-resistant credentials but with the same security posture as other unattested authenticators” (Microsoft Learn).

The practical read for a Hawaii SMB: synced passkeys are the low-friction default that gets ordinary users off SMS and app-prompt MFA fast. Device-bound, attested passkeys are what you reserve for the accounts that can hurt you — global admins, finance approvers, engineering.

Passkey profiles: one policy per audience

A passkey profile is a named set of rules — passkey type, attestation enforcement, and authenticator (AAGUID) restrictions — that you target at specific groups (Microsoft Learn). Microsoft’s own example splits high-privilege accounts from the rest of the workforce:

• Profile A — IT admins, executives, engineering: device-bound only, attestation enforced. The tenant can prove these credentials come from a known, genuine authenticator.
• Profile B — HR, sales, general staff: device-bound or synced allowed, attestation off. Lower friction, broad adoption.

When you opt in to passkey profiles, your existing global passkey settings transfer to a Default passkey profile automatically, so nothing breaks for users who already registered (Microsoft Learn). One caution worth flagging to leadership: after you opt in to passkey profiles, you cannot opt back out. It is a one-way door, so confirm the design before you flip it.

The three-step rollout we run for clients

1. Enable passkey profiles and set self-service. In the Entra admin center under Security > Authentication methods > Policies > Passkey (FIDO2), opt in to passkey profiles and set Allow self-service set up to Yes so users can register their own passkey from the Security info page (Microsoft Learn).
2. Create an admin profile with attestation enforced. Add a device-bound profile, set Enforce attestation to Yes, and target your privileged-role group. Remember Microsoft’s rule: attestation is checked only at registration time, so enforce it before admins enroll, not after (Microsoft Learn).
3. Require passkeys with Conditional Access. Use the built-in phishing-resistant authentication strength, or build a custom strength that allows only passkeys (FIDO2), and scope it to admin roles or your most sensitive applications (Microsoft Learn).

Drive adoption without nagging by hand: Microsoft made passkey support in registration campaigns generally available in May 2026, so you can nudge users to register a passkey during sign-in (Microsoft Entra releases).

Operational details that trip teams up

• Authenticator versions. If a profile targets both device-bound and synced passkeys in Microsoft Authenticator, users need iOS 6.8.37 or Android 6.2507.4749 or later (Microsoft Learn).
• Recent MFA required to register. Users must have completed MFA within the past five minutes before they can register a passkey (Microsoft Learn).
• Guests are not in scope. Passkey registration is not supported for internal or external guest (B2B) users in the resource tenant — plan a separate phishing-resistant path for them (Microsoft Learn).
• Key restrictions are sticky. If you remove a previously allowed AAGUID, users who registered with that authenticator can no longer sign in with it — change key restrictions deliberately (Microsoft Learn).

Where this fits in your identity roadmap

Passkeys are the phishing-resistant control we pointed to when we wrote about AiTM phishing and Microsoft 365 token theft, and they pair directly with the break-glass and Conditional Access work in our Azure MFA mandate readiness audit. If you are mapping out which identity controls to fund first, this is near the top: high impact, no added license cost, and now fully GA.

FAQ for executives

Will this cost us more in Microsoft licensing?

Not for the passkeys themselves. Microsoft states passkeys (FIDO2) are available in all Entra ID editions including Free (Microsoft Learn). The Conditional Access authentication strength policy you use to require a passkey for sensitive apps needs Microsoft Entra ID P1 or higher, which most business-tier Microsoft 365 plans already include.

What about users without a smartphone or security key?

Synced passkeys stored in a browser-based provider (for example, Google Password Manager in Chrome on a managed laptop) cover users who do not carry a phone. For high-privilege roles, budget for a small number of hardware FIDO2 keys so attested, device-bound sign-in does not depend on personal devices.

Sources

• Microsoft Learn — How to enable passkeys (FIDO2) in Microsoft Entra ID
• Microsoft Learn — Microsoft Entra releases and announcements (what’s new)

Want passkeys rolled out without breaking sign-in for your team? HI Tech Hui provides managed IT and cybersecurity services — including Microsoft Entra identity hardening, Conditional Access design, and 24/7 monitoring through our SOC. Contact us for a phishing-resistant authentication readiness review.