Microsoft is working on a new way for users to sign in to Microsoft Entra on Windows devices. The company is introducing support for passkeys that work with Windows Hello, allowing organizations to further reduce their reliance on traditional passwords.
According to BleepingComputer, the new functionality focuses on providing a login method that is more resistant to phishing attacks.
The rollout of the feature will begin as an optional public preview between mid-March and the end of April 2026 for organizations worldwide. Government cloud environments, such as GCC, GCC High, and the U.S. Department of Defense, will follow later with a preview period from mid-April to mid-May. Administrators must activate the functionality themselves before users can work with it.
With the introduction of passkeys, employees can log in to Entra-secured services via Windows Hello. This means that authentication is performed using biometric recognition, such as a fingerprint or facial recognition, or a PIN code. The corresponding key is stored locally on the device in Windows Hello’s secure environment.
According to Microsoft, this approach offers better protection against phishing and other forms of account abuse. The cryptographic key associated with a passkey does not leave the device. This means it cannot be intercepted via a fake website or stolen by malware that attempts to steal login details.
Passkeys also work outside Entra-managed systems
An important difference from previous implementations is that the method also works on Windows systems that are not linked to or registered with Entra. This allows employees to log in to company resources without a password, even on personal or shared devices. For organizations that work extensively with external devices or bring-your-own-device scenarios, this can be an important step towards completely passwordless access.
A separate passkey is created for each Entra account per device. Multiple accounts can therefore be used on a single system, but the keys remain linked to the specific device on which they were created. Synchronization between devices is not possible, so users must re-register on each new system.
To use the functionality, administrators must enable the FIDO2 passkey method within Entra’s authentication policy. A passkey profile linked to Windows Hello can then be created. This profile can then be assigned to users or groups within the organization.
The introduction is part of Microsoft’s broader strategy to gradually phase out passwords. The company previously announced that new Microsoft accounts will be set up without passwords by default. With this, Microsoft wants to better protect organizations against phishing, brute-force attacks, and large-scale abuse attempts with leaked login credentials.