← Back
Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy
MC1188230 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-11-19 23:34:30
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2027-10-14 07:00:00
Action by (AI)
Services
Microsoft Entra
Tags
Retirement
Master tags
Admin, Security
Roadmap IDs

One-line summary

FIDO2 API properties isAttestationEnforced and keyRestrictions will be retired Oct-Nov 2027; update automations and integrations to use new passkey policy schema.

Similar updates

More like this
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. Updated November 5, 2025: We have updated the timeline.
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra ID sign-in will enforce a stricter Content Security Policy, blocking non-Microsoft scripts and injected code, starting rollout in October 2026 to enhance security against XSS threats. Introduction As part of Microsoft’s .
MC693863 (Updated) Azure ACS retirement in Microsoft 365
(Updated) Azure ACS retirement in Microsoft 365 Azure Access Control Services (ACS) retires for SharePoint Online on April 2, 2026; update custom apps and integrations to use Microsoft Entra ID for authentication. Since the first use of Azure Access Control Services (ACS) by SharePoint in 2013, Microsoft has evolved the authorization and.
MC1158902 (Updated) Microsoft Outlook: New third-party enriched properties available for customizing profile cards
(Updated) Microsoft Outlook: New third-party enriched properties available for customizing profile cards Admins can add new properties (Role, Division, Employee ID, etc.) to Microsoft 365 profile cards from Entra ID or external HR systems; rollout starts mid-January 2026 and requires admin enablement. [Introduction] Microsoft is introducing new.
MC1189663 (Updated) Retirement of external access token for actionable messages – moving to Microsoft Entra authentication
(Updated) Retirement of external access token for actionable messages – moving to Microsoft Entra authentication Actionable messages using external access tokens retire May 15, 2026; switch to Microsoft Entra authentication to maintain functionality and improve security. Updated March 24, 2026: We have updated the timeline. [Introduction] We’re.
MC1024404 (Updated) Microsoft Entra: Browser access will be enabled by default for all Android users
(Updated) Microsoft Entra: Browser access will be enabled by default for all Android users Microsoft Entra ID device registration for Android will become hardware-bound, retiring the Enable Browser Access feature in Authenticator and Company Portal apps; change is automatic. Updated July 24, 2025: We have updated the timeline. The Enable Browser.

Details

Summary
Starting October to November 2027, Microsoft will retire the isAttestationEnforced and keyRestrictions properties from the fido2AuthenticationMethodConfiguration API. These will sync with new properties in the updated passkey policy API schema during transition. Admins must update configurations, automations, and integrations accordingly.

Body (from Message Center)

Introduction

Starting October 2027 and ending November 2027, we will retire the isAttestationEnforced and keyRestrictionsproperties from the existing fido2AuthenticationMethodConfiguration API schema. This change aligns with the latest update to the passkey policy API schema, which introduces support for granular group-based configurations with passkey profiles.

During the retirement period, isAttestationEnforced and keyRestrictions will remain in sync with their counterparts attestationEnforcement and keyRestrictions within the Default passkey profile.

When this will happen 

Retirement begins in mid-October 2027 and is expected to complete by early November 2027.

How this affects your organization:

You are receiving this message because our reporting indicates your organization may be using this feature.

Who is affected: Admins managing FIDO2 authentication configurations and any custom automations or third-party integrations using these properties.

What will happen

  • isAttestationEnforced and keyRestrictions properties will be retired.
  • New properties are available in the updated passkey policy API schema.
  • Existing properties will sync with new ones during the transition period.
  • Automations or integrations using retired properties will stop working after the change.

What you can do to prepare

  • Review your current configuration.
  • Update any custom automations and third-party integrations to support the new schema.
  • Notify your admins and update internal documentation.

Screenshot - The read arrows indicate the properties to be retired:

user settings

Learn more: fido2AuthenticationMethodConfiguration resource type | Microsoft Graph | Microsoft Learn

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": "2027-10-14T07:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Review FIDO2 configurations",
      "Update automations and integrations",
      "Notify admins",
      "Update documentation"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "FIDO2 API properties isAttestationEnforced and keyRestrictions will be retired Oct-Nov 2027; update automations and integrations to use new passkey policy schema.",
    "ai_topics": [
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Starting October to November 2027, Microsoft will retire the isAttestationEnforced and keyRestrictions properties from the fido2AuthenticationMethodConfiguration API. These will sync with new properties in the updated passkey policy API schema during transition. Admins must update configurations, automations, and integrations accordingly."
    },
    "id": "MC1188230",
    "importance": 4,
    "is_major_change": true,
    "last_modified": "2025-11-19T23:34:30Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Retirement"
    ],
    "title": "Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy"
  }
}