Sebastian F. Markdanner

3 minutes ago11 min read

Passkeys 101: How Microsoft Entra Simplifies Passwordless Authentication

Today, we’re exploring passkeys—what they are, how they work, and how Microsoft’s latest GA features make passwordless authentication simpler than ever.

As identity-focused cyber threats rise—especially with the advent of AI—it’s more important than ever to secure access while providing faster, easier, and more stable authentication flows for our users.

This mission aligns with the FIDO Alliance, a coalition of tech giants like Amazon, Google, Microsoft, Apple, Cisco and many more. Their goal is to reduce reliance on passwords by developing phishing-resistant passkeys to replace today’s insecure password systems.

Microsoft’s Secure Future Initiative underscores its commitment to increasing cybersecurity—particularly by securing identities. Passkeys are a shining example of their work with the FIDO Alliance, offering a strong step forward in passwordless authentication.

Table of Content

Understanding passkeys
- Passkeys vs. Quantum Threats.
The Case for Passkeys
How to configure passkeys in the Microsoft ecosystem
End-user experience
- How to create a passkey in the Microsoft Authenticator app
- Using a passkey in Microsoft Authenticator for Cross-Device Authentication
  - Demonstrating the Flow with Microsoft Entra
Conclusion: Unlocking the Future with Passkeys

Understanding passkeys

Passkeys are a FIDO Authentication Credential stored in a credential manager, binding an asymmetric cryptographic key pair between a manager and a specific user account in apps or websites that support the W3C WebAuthn standard.

They can be stored in various ways:

Local OS credential managers
Mobile apps like Microsoft Authenticator (cross-device)
Third-party tools like Keeper or Dashlane
Hardware security keys like Yubikey

The private key is stored securely in the credential manager, while the public key is saved with the user’s account on the corresponding app or website.

Using this key pair enables authentication without sharing credentials, making passkeys inherently phishing-resistant. They bolster security by mitigating threats like token stuffing, Pass-the-Hash attacks, and phishing scams. Since passkeys can’t be shared manually, users are protected from entering credentials on malicious lookalike sites.

Passkeys vs. Quantum Threats.

While passkeys aren’t yet fundamentally quantum-resilient, advancements are on the horizon. In 2023, a FIDO Alliance workgroup led by Google released a quantum-resilient cryptography algorithm.

While quantum computing remains a challenge, ongoing research into quantum-resilient cryptography is paving the way for future-proof passkey systems.

The Case for Passkeys

The reliance on passwords as the primary method of authentication has long been one of the weakest links in cybersecurity. Despite the widespread adoption of password policies and MFA, identity-based attacks are increasing in sophistication and frequency. Passkeys offer a much-needed evolution in securing user accounts and mitigating the risks associated with traditional password-based systems.

Statistics highlighting the need for passkeys

Phishing Attacks on the Rise: According to Trend Micro, phishing attacks surged by 58% in 2024 YoY, targeting credentials as a primary payload. Attackers take advantage of increasingly clever tactics, leveraging social engineering and generative AI, to trick users into leaking their credentials.
Overwhelming Use of Weak Passwords: The FIDO Alliance Annual Barometer reveals that users frequently rely on weak, reused passwords. Many still do not enable additional authentication methods, leaving accounts vulnerable.
99% of Identity Attacks Are Password-Based: Microsoft data highlights that the overwhelming majority of identity attacks exploit weak or stolen passwords. From brute force attacks to password spraying, these methods expose the vulnerabilities of traditional passwords.
The FIDO Alliance Annual Barometer: This study, gathering data from across 10 countries, found that end-users enter an average of 4 passwords daily.
Alarmingly, 37% of respondents admitted to not using any secondary authentication methods, leaving their accounts at significant risk of compromise.

User Behavior and Productivity Challenges

Managing passwords isn’t just a security issue—it’s also a user experience and productivity problem:

• Password Overload: Users frequently forget passwords, mistype them, or reuse insecure combinations across platforms.

• Prompt Fatigue: MFA fatigue is real. Users subjected to excessive authentication prompts may begin to bypass secure practices, such as approving fraudulent requests or disabling MFA altogether.

• Compromised Security Practices: The daily reliance on passwords coupled with the absence of strong secondary authentication leads to weak overall security and increased vulnerability to phishing and brute-force attacks.

How Passkeys Solve These Problems

Strong Phishing Resistance: Passkeys are inherently phishing-resistant. Because they do not share credentials with remote servers, attackers cannot intercept or steal them, eliminating common phishing and credential stuffing vectors.
Simplified User Experience: Passkeys enable a seamless, passwordless sign-in process through familiar methods like biometrics, such as fingerprint- or face-recognition, or local device PINs. Users no longer need to remember or manage complex passwords, which reduces frustration and improves satisfaction.
Enhanced Security Without the Trade-Off: Passkeys improve security while simplifying authentication. By replacing less secure MFA methods like SMS or email-based OTPs, organizations can reduce risks without impacting user productivity.

Business and Organizational Benefits

Passkeys also provide tangible benefits for organizations:

Lower Costs: Reducing reliance on passwords minimizes password resets, helpdesk tickets, and the need for password management tools.
Compliance Readiness: Adopting passkeys helps organizations meet increasingly stringent cybersecurity and privacy regulations, such as GDPR, HIPAA, and ISO 27001.
Scalable Security Strategy: By moving toward passwordless authentication using passkeys, organizations future-proof their IT environments, aligning with modern cybersecurity trends and Zero Trust principles.
Improved Productivity: Faster and easier sign-ins reduce downtime caused by forgotten passwords or authentication issues, leading to increased productivity.

AI-Driven Threats Demand Better Security

The advent of AI has introduced a new wave of advanced threats, from realistic phishing schemes to automated attacks. Passkeys create a strong barrier to these threats by removing passwords—a primary attack vector—from the equation.

By integrating passkeys into the authentication ecosystem, organizations can deliver faster, easier, and safer sign-ins reducing risks while boosting user satisfaction and operational efficiency.

How to configure passkeys in the Microsoft ecosystem

Passkeys are currently supported for all major platforms, browsers and third-party password managers.

Enable passkeys as an Authentication Method

To utilize passkeys in Microsoft, start by managing authentication methods through the unified management blade.

Note: As of the time of writing, storing passkeys directly in Apple’s iCloud Keychain is not supported.

Confirm that you’ve migrated all authentication methods from the legacy split management system. The migration status should display Complete:
In the unified management portal, locate the Passkey (FIDO2) option and enable it.
To enable passkeys for the Microsoft Authenticator app, configure the following settings:
- Enforce Attestation: Set to Yes. This ensures validation of the application setting up the passkey.
- Enforce Key Restrictions: Set to Yes. This allows only approved applications like Microsoft Authenticator.
- Restrict Specific Keys: Set to Allow. This means only configured AAGUIDs (Attestation GUIDs) are permitted.
- Microsoft Authenticator (Preview): Enable this feature to allow passkeys in the Microsoft Authenticator app. Two default AAGUIDs (one for iOS and one for Android) will be automatically added.
- (Optional) Add AAGUID: Adding additional AAGUIDs for third-party managers or security keys as needed.
After completing the above, the passkey authentication method will be enabled in your tenant.

Script for Checking Existing Security Keys

The following PowerShell script allows you to check for existing AAGUIDs in your tenant. It retrieves details of passkey-enabled users and outputs the data to a file. It's a modified script using this script by Microsoft as the base:

# Connect to Microsoft Graph with required scopes
Connect-MgGraph -Scope 'User.Read,UserAuthenticationMethod.Read,UserAuthenticationMethod.Read.All'

# Define the output file
$file = "C:\temp\AAGUIDs.txt"

# Initialize the file with a header
Set-Content -Path $file -Value '---'

# Retrieve all users
$UserArray = Get-MgUser -All

# Iterate through each user
foreach ($user in $UserArray) {
    # Retrieve Passkey authentication methods for the user
    $fidos = Get-MgUserAuthenticationFido2Method -UserId $user.Id

if ($fidos -eq $null) {
        # Log and write to file if no Passkey methods are found
        Write-Host "User object ID $($user.Id) has no Passkey"
        Add-Content -Path $file -Value "User object ID $($user.Id) has no Passkey"
    } else {
        # Iterate through each Passkey method
        foreach ($fido in $fidos) {
            # Log and write to file the Passkey details
            Write-Host "- User object ID $($user.Id) has a Passkey with AAGUID $($fido.Aaguid) of Model type '$($fido.Model)'"
            Add-Content -Path $file -Value "- User object ID $($user.Id) has a Passkey with AAGUID $($fido.Aaguid) of Model type '$($fido.Model)'"
        }
    }

# Log and write a separator to file
    Write-Host "==="
    Add-Content -Path $file -Value "==="
}

# Disconnect from Microsoft Graph
Disconnect-MgGraph

Enforcing passkey usage

Once passkeys are configured, use Microsoft Entra Conditional Access to enforce their use.

You can choose:

• The built-in Phishing-Resistant Authentication Strength Policy, or

• A Custom Authentication Strength Policy for more granular control.

I've created this template that can be used for this goal, shared in this blog post.

Conditional Access policy configuration page in Microsoft Entra, with an emphasis on enforcing phishing-resistant MFA through Passkey methods.

Important: Before enforcing this policy, ensure that:

Required authentication methods are registered for at least one admin account.
You exclude a breakglass account to avoid lockouts during registration.

Windows Hello for Business

Many organizations already use Windows Hello for Business, which also leverages asymmetric key pairs for authentication. For Windows devices, it offers an easy and secure way to authenticate standard or privileged accounts.

Windows Hello for Business supports two main configurations: cloud-only and hybrid identity environments.

Cloud-only environments (Cloud-Native Devices and Identities)

We'll create an Intune endpoint security account protection policy that configures Windows Hello for Business, as there's no on-premise, or legacy applications, we can simply create the Windows Hello for Business policy.

Access the Microsoft Intune portal. Navigate to Endpoint Protection > Account Protection and create a new policy
Choose Windows and Account Protection for profile type
Configure the policy with the following settings as Device-scoped settings:
- Enable Pin Recovery: Set to True
- Lowercase Letters: Blocked
- Minimum PIN Length: 6
- Require Security Device: Set to True.
- Use Windows Hello For Business (Device): Enabled.
Assign the policy to all devices using appropriate filters or pilot groups.
Review and save the policy.

Hybrid environments (synced identities).

For hybrid environments, additional configurations are necessary to support on-premises resources with Single Sign-On (SSO).

Step 1: Cloud kerberos trust configuration

Microsoft provides a walk-through of the configuration of Cloud Kerberos Trust, but to make it a bit easier for you, I've combined the needed steps into a single script:

Powershell - Single script configuration

Step 2: Intune configurations

To complete the configuration of Windows Hello for Business for hybrid identities, we'll need the following policy:

Use Cloud Trust For On Prem Auth

Access Microsoft Intune, navigate to Devices and Configuration finally Create: New Policy
Choose Windows 10 and Later, and Settings Catalog
Provide a meaningful name for the policy, an optional description and go to the next tab. In the configuration settings tab, choose +add setting. Search for Use Cloud Trust For On Prem Auth, add the setting and make sure it's changed to Enabled.
Assign this policy to the same devices as the Windows Hello for Business policy

End-user experience

How to create a passkey in the Microsoft Authenticator app

After configurations are complete, users can create a passkey in Microsoft Authenticator on mobile devices running iOS 17+ or Android 14+.

Users can initiate passkey creation directly in the Authenticator App or by adding an authentication method via aka.ms/mfasetup or aka.ms/mysecurityinfo.

This guide outlines the flow from the Security Info page and demonstrates cross-device creation:

Access Security Info
- Visit aka.ms/mfasetup or aka.ms/mysecurityinfo
- Sign in with your Microsoft account.
In the Security Info interface, select Add sign-in method
Choose Passkey in Microsoft Authenticator as the sign-in method
- The interface will guide users through setting up the Microsoft Authenticator app and creating the passkey
- If the Microsoft Authenticator is already registered with the account, the app installation and configuration steps will be skipped. The user will be directed to the app to create the passkey
On the Mobile Device:
- Add Account to Microsoft Authenticator
  Open the app and tap the + icon in the upper-right corner
- Select Account Type
  Choose Work or school account
- Sign In or Scan QR Code
  Sign in using your credentials or scan the QR code displayed on your computer
- Complete Passkey Setup
  After signing in, users will see a confirmation screen. Tap Continue to automatically set up the passkey and enable passwordless authentication
- Verify Passkey Creation
  Once the passkey is created, it will appear under the account in the Authenticator App as a local passkey, as seen here
Back on the Computer:
The user will see a success screen indicating the passkey setup is complete
- View Passkey Details
  In the Security Info page, users can view the passkey. Expanding its details shows the registration date and the associated AAGUID.

The passkey is now created and ready for use!

Using a passkey in Microsoft Authenticator for Cross-Device Authentication

We're able to use the created passkey for authentication cross-device. The flow for using the passkey in the Authenticator app is as follows:

Flowchart illustrating the process of user sign-in with a passkey option, starting with the QR code generation, user validation, and sign-in approval.

The flow begins when a user selects the passkey sign-in option on a device, generating a QR code.

The QR code is part of the W3C WebAuthn API process. It serves as an attestation request, linking the user’s identity and credentials.

The user must validate the request with an authorization gesture, such as biometric authentication or a local PIN.

The validation is forwarded to the Relying Party server, which processes the credential ID and verifies the associated public key. Access is granted if all conditions are met.

In simpler terms:

The user scans the QR code, validates their identity, and the system processes the request to securely grant access. This ensures a seamless and secure passwordless experience.

Source: The FIDO Alliance Whitepapers: CLIENT TO AUTHENTICATOR PROTOCOL (CTAP) & W3C – Web Authentication

Demonstrating the Flow with Microsoft Entra

Going through the enduser experience for this flow, we'll reuse the same passkey created in the previous section to access Microsoft Entra.

Access the Microsoft Entra Portal
Navigate to entra.microsoft.com. Enter the username of the account.
Select Sign-In Option
Depending on your Conditional Acces Policies, another default method might appear. Select Other ways to sign in
Choose Passkey Authentication
Click Face, fingerprint, PIN, or security key to start the passkey authentication process
Scan the Attestation QR Code
A QR code will appear for cross-device authentication. Use the built-in camera of your mobile device (not the Authenticator app) to scan it.
Authorize the Request
After scanning, confirm the sign-in request using biometrics (e.g., Face ID) or a PIN, by clicking Continue
Access Granted
The system validates the passkey and grants access to the requested resource

Conclusion: Unlocking the Future with Passkeys

We’ve covered a lot in this post:

What passkeys are, how they work, and the technology behind them.
Why passkeys are essential in combating phishing and password-based attacks in an increasingly AI-driven threat landscape.
How to enable and enforce passkeys within Microsoft environments using tools like Microsoft Authenticator, Conditional Access, and Windows Hello for Business.
The streamlined, secure user experience of creating and using passkeys for cross-device authentication.

Passkeys represent more than just a step forward—they signal the beginning of a passwordless future where security meets simplicity. By integrating passkeys into your organization, you’re not only improving your security posture but also delivering a more seamless experience for your users.

It's now that time again, here's another bad joke!

If you think IoT devices have been monitoring you, just remember…

the vacuum has been gathering dirt on you for years! 😎

If you enjoyed this post, please like, share, comment, and subscribe to the blog. Your feedback helps me stay on track with topics that matter most to you—and don’t forget to stay tuned for the next post!

What are your thoughts on passkeys and passwordless security?

Have you started using them in your organization?

Share your experiences and insights in the comments below—I’d love to hear from you!