Cybersecurity

Microsoft Bolsters Entra with Passkey Support on Windows

Analyst 207||Source: BleepingComputer
Windows computer on a desk with a laptop screen showing an authentication prompt and a nearby smartphone, in a bright…

"Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN)," Microsoft said in a message center update.

Rollout schedule and where the feature will appear

Microsoft will begin rolling out support for passkeys — phishing‑resistant, passwordless authentication — to Microsoft Entra‑protected resources from Windows devices starting in late April 2026, with general availability expected by mid‑June 2026. The company said the capability will extend passwordless sign‑in to unmanaged Windows devices and will support corporate, personal, and shared devices.

The feature becomes available for organizations that have enabled "Microsoft Entra ID with passkeys" in the "Authentication Methods policy" for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies permit the sign‑ins (for example, from corporate‑managed, personal, or shared devices).

How Entra passkeys on Windows are implemented technically

Microsoft described Entra passkeys on Windows as device‑bound FIDO2 credentials stored in a secure local credential container — the Windows Hello container — that can only be used for authentication to Microsoft Entra ID via Windows Hello methods (facial recognition, fingerprint, or PIN). Unlike Windows Hello for Business, which also enables device sign‑ins, Entra passkeys on Windows are limited to authentication to Microsoft Entra ID.

Microsoft also emphasized that passkeys are cryptographically bound to each device and are never transmitted over the network. The company said this design prevents attackers from stealing passkeys during phishing or malware attacks to bypass multifactor authentication.

Administrative controls: Conditional Access and Authentication Methods policies

Administrators retain control through Conditional Access and Authentication Methods policies. Microsoft stated that Entra passkeys on Windows will be manageable via those same controls, and that organizational use requires explicitly enabling "Microsoft Entra ID with passkeys" within the Authentication Methods policy.

In practice, that means the feature will only be effective where Conditional Access policies allow passkey‑based authentication from the relevant device contexts (corporate‑managed, personal, or shared). Microsoft framed the rollout as expanding passwordless options to Windows devices that are not Microsoft Entra‑joined or registered.

Security context: closing a gap and recent Microsoft steps

Microsoft did not supply a rationale beyond describing the capability, but said Entra passkeys on Windows "close a security gap" that had left personal and shared devices reliant on password‑based Microsoft Entra ID authentication. The announcement comes after a period during which threat actors "have heavily targeted Microsoft Entra single sign‑on (SSO) accounts using stolen credentials in a wave of recent SaaS data‑theft attacks," according to the source report.

The rollout follows other Microsoft steps cited in the company’s broader Secure Future Initiative: in October 2024 Microsoft said it would make multifactor authentication registration mandatory when security defaults are enabled, and in May 2025 the company announced that all new Microsoft accounts will be "passwordless by default." Those earlier moves sit alongside the current passkeys rollout as part of Microsoft’s stated effort to boost protection across Entra tenants and accounts.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: They will need to enable "Microsoft Entra ID with passkeys" in the Authentication Methods policy and ensure Conditional Access rules permit the new authentication flows for the device types they want to cover. The change shifts some risk from shared and unmanaged devices away from password‑based sign‑ins toward device‑bound passkeys.
  • Affected enterprises and procurement leaders: Organizations that want passwordless access from unmanaged or personal Windows devices must verify policy settings and Conditional Access coverage before users can take advantage of the feature; general availability is slated for mid‑June 2026.
  • End users and the general public: Users on supported Windows devices will be able to create passkeys stored locally in the Windows Hello container and authenticate using face, fingerprint, or PIN. Because passkeys are cryptographically bound to a device and not sent over the network, Microsoft says they are not subject to theft in phishing or typical malware‑mediated credential‑theft scenarios.

BleepingComputer reached out to Microsoft for more details, but a response was not immediately available. The next concrete milestone in Microsoft’s schedule is the mid‑June 2026 general availability date; in the interim organizations must enable the Authentication Methods policy and ensure Conditional Access policies align if they want their users to adopt Entra passkeys on Windows.

Source: BleepingComputer — Microsoft to roll out Entra passkeys on Windows in late April

Emerging ThreatsIdentity ManagementMFAPasskey SupportWindows HelloMicrosoft EntraPasswordless Authentication
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207