← Back
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
MC1097225 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-11-05 23:44:51
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Microsoft Entra
Tags
Updated message, Feature update, User impact, Admin impact, Retirement
Master tags
Security
Roadmap IDs

One-line summary

Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers.

Similar updates

More like this
MC1188230 Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy
Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy FIDO2 API properties isAttestationEnforced and keyRestrictions will be retired Oct-Nov 2027; update automations and integrations to use new passkey policy schema. Introduction Starting October 2027 and ending November 2027, we will ... This.
MC1088732 Microsoft Teams: Important updates for Android-based Teams devices – Authentication changes coming soon
Microsoft Teams: Important updates for Android-based Teams devices – Authentication changes coming soon Teams Android devices must update to specified app versions for modern Entra ID authentication by Dec 31, 2025, or risk service disruption; enhanced security features will be enabled. To enhance security capabilities such as Continuous Access.
MC1171846 Microsoft Teams: Agent and bot support for Entra authentication in group chats
Microsoft Teams: Agent and bot support for Entra authentication in group chats Agents and bots in Teams group chats can now request Entra authentication, prompting users to install Teams or grant consent as needed; feature enabled by default starting November 3, 2025. Agents and bots in Microsoft Teams group chats will now be able to.
MC1158902 (Updated) Microsoft Outlook: New third-party enriched properties available for customizing profile cards
(Updated) Microsoft Outlook: New third-party enriched properties available for customizing profile cards Admins can add new properties (Role, Division, Employee ID, etc.) to Microsoft 365 profile cards from Entra ID or external HR systems; rollout starts mid-January 2026 and requires admin enablement. Updated December 16, 20... [Introduction] .
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra sign-in pages will enforce a stricter Content Security Policy in October 2026, blocking non-Microsoft scripts and injected code to enhance protection against XSS threats. Introduction As part of Microsoft’s Secure Future.
MC1024404 (Updated) Microsoft Entra: Browser access will be enabled by default for all Android users
(Updated) Microsoft Entra: Browser access will be enabled by default for all Android users Microsoft Entra ID device registration for Android will become hardware-bound, retiring the Enable Browser Access feature in Authenticator and Company Portal apps; change is automatic. Updated July 24, 2025: We have updated the timeline. ...er Access .

Details

Summary
In November 2025, Microsoft Entra ID will preview passkey profiles in the authentication methods policy, enabling group-based passkey controls and new API schema. Rollout occurs worldwide early November and GCC mid-November. No admin action is needed before rollout; admins should review configurations and update documentation.

Body (from Message Center)

Updated November 5, 2025: We have updated the timeline for Preview and the content below. Thank you for your patience.

In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes.

[When this will happen:]

Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025 (previously early December).

Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025.

[How this will affect your organization:]

After this rollout, you'll be able to apply different passkey configurations per user group. For example, you will be able to:

  • Allow the use of specific FIDO2 security key models for user group A
  • Allow the use of passkeys in Microsoft Authenticator for user group B

Important: If your organization opts-in to the new admin UX, a Default passkey profile will automatically be populated with your existing policy configurations. Once you modify and save the Default passkey profile, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability.

These new settings will be available at Entra admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings:

admin controls

As part of this update in November 2025, if Enforce attestation is disabled, we will start accepting security key or passkey providers using the following attestation statements:

  • “none” 
  • “tpm” 
  • “packed” (AttCA type only) 
  • Custom attestation formats ≤ 32 characters
  • “packed” (self) should be deployed from early January 2026 to early February 2026 

This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, refer to Microsoft Entra ID attestation for FIDO2 security key vendors

[What you need to do to prepare:]

This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to review your current passkey configuration, notify your admins about this change, and update internal documentation.

Learn more about passkeys in Microsoft Entra ID: Enable passkeys for your organization - Microsoft Entra ID | Microsoft Learn (will be updated before rollout)

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review current passkey configuration",
      "Notify admins of changes",
      "Update internal documentation"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers.",
    "ai_topics": [
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "In November 2025, Microsoft Entra ID will preview passkey profiles in the authentication methods policy, enabling group-based passkey controls and new API schema. Rollout occurs worldwide early November and GCC mid-November. No admin action is needed before rollout; admins should review configurations and update documentation."
    },
    "id": "MC1097225",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-11-05T23:44:51Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Feature update",
      "User impact",
      "Admin impact",
      "Retirement"
    ],
    "title": "(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)"
  }
}