← Back
Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy
MC1188230 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-11-19 23:34:30
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2027-10-14 07:00:00
Action by (AI)
Services
Microsoft Entra
Tags
Retirement
Master tags
Security
Roadmap IDs

One-line summary

FIDO2 API properties isAttestationEnforced and keyRestrictions will be retired Oct-Nov 2027; update automations and integrations to use new passkey policy schema.

Similar updates

More like this
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. Updated November 5, 2025: We have updated the timeline.
MC693863 (Updated) Azure ACS retirement in Microsoft 365
(Updated) Azure ACS retirement in Microsoft 365 Azure ACS will retire for SharePoint Online on April 2, 2026; update custom apps and integrations to use Microsoft Entra ID to maintain access. Since the first use of Azure Access Control Services (ACS) by SharePoint in 2013, Microsoft has evolved the authorization and authentication options for.
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra sign-in pages will enforce a stricter Content Security Policy in October 2026, blocking non-Microsoft scripts and injected code to enhance protection against XSS threats. Introduction As part of Microsoft’s Secure Future.
MC1189663 Retirement of external access token for actionable messages – moving to Microsoft Entra authentication
Retirement of external access token for actionable messages – moving to Microsoft Entra authentication External access tokens for actionable messages retire on March 31, 2026; switch integrations to Microsoft Entra authentication to maintain functionality and improve security. [Introduction] We’re retiring the use of external access tokens for .
MC1158902 (Updated) Microsoft Outlook: New third-party enriched properties available for customizing profile cards
(Updated) Microsoft Outlook: New third-party enriched properties available for customizing profile cards Admins can add new properties (Role, Division, Employee ID, etc.) to Microsoft 365 profile cards from Entra ID or external HR systems; rollout starts mid-January 2026 and requires admin enablement. [Introduction] Microsoft is introducing new.
MC1029989 Reminder: "Require approved client app" control in Microsoft Entra Conditional Access will be retired in March 2026
Reminder: "Require approved client app" control in Microsoft Entra Conditional Access will be retired in March 2026 In March 2026, Entra ID and Intune will retire the 'Require approved client app' Conditional Access control; switch to 'Require application protection policy' instead. As mentioned in MC540749, in March 2026, Microsoft Entra ID.

Details

Summary
Starting October to November 2027, Microsoft will retire the isAttestationEnforced and keyRestrictions properties from the fido2AuthenticationMethodConfiguration API. These will sync with new properties in the updated passkey policy API schema during transition. Admins must update configurations, automations, and integrations accordingly.

Body (from Message Center)

Introduction

Starting October 2027 and ending November 2027, we will retire the isAttestationEnforced and keyRestrictionsproperties from the existing fido2AuthenticationMethodConfiguration API schema. This change aligns with the latest update to the passkey policy API schema, which introduces support for granular group-based configurations with passkey profiles.

During the retirement period, isAttestationEnforced and keyRestrictions will remain in sync with their counterparts attestationEnforcement and keyRestrictions within the Default passkey profile.

When this will happen 

Retirement begins in mid-October 2027 and is expected to complete by early November 2027.

How this affects your organization:

You are receiving this message because our reporting indicates your organization may be using this feature.

Who is affected: Admins managing FIDO2 authentication configurations and any custom automations or third-party integrations using these properties.

What will happen

  • isAttestationEnforced and keyRestrictions properties will be retired.
  • New properties are available in the updated passkey policy API schema.
  • Existing properties will sync with new ones during the transition period.
  • Automations or integrations using retired properties will stop working after the change.

What you can do to prepare

  • Review your current configuration.
  • Update any custom automations and third-party integrations to support the new schema.
  • Notify your admins and update internal documentation.

Screenshot - The read arrows indicate the properties to be retired:

user settings

Learn more: fido2AuthenticationMethodConfiguration resource type | Microsoft Graph | Microsoft Learn

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": "2027-10-14T07:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Review FIDO2 configurations",
      "Update automations and integrations",
      "Notify admins",
      "Update documentation"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "FIDO2 API properties isAttestationEnforced and keyRestrictions will be retired Oct-Nov 2027; update automations and integrations to use new passkey policy schema.",
    "ai_topics": [
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Starting October to November 2027, Microsoft will retire the isAttestationEnforced and keyRestrictions properties from the fido2AuthenticationMethodConfiguration API. These will sync with new properties in the updated passkey policy API schema during transition. Admins must update configurations, automations, and integrations accordingly."
    },
    "id": "MC1188230",
    "importance": 4,
    "is_major_change": true,
    "last_modified": "2025-11-19T23:34:30Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Retirement"
    ],
    "title": "Microsoft Entra ID: Retirement of duplicative properties in passkey (FIDO2) authentication methods policy"
  }
}