Microsoft has officially introduced Passkey Profiles and Synced Passkeys to General Availability (GA) in Microsoft Entra ID beginning March 2026. This marks a major evolution of passkey (FIDO2) authentication in Entra ID, giving organizations more flexible and granular control over how passkeys are deployed and managed.

What’s New?

Passkey Profiles (Group‑Based Control)

Instead of one tenant‑wide setting, admins can now create multiple passkey profiles that specify how users authenticate:
• Configure passkey requirements per group (e.g., executives vs general staff)
• Choose which passkey types to allow (e.g., device‑bound vs synced)
• Apply attestation rules and authenticator restrictions per profile
• Existing FIDO2 settings automatically migrate into a default profile if not manually configured.

🔄 Synced Passkeys Across Devices
For the first time, Entra ID supports synced passkeys (preview or GA depending on rollout stage). These let users securely sync passkeys via ecosystems like Apple iCloud Keychain, Google Password Manager, or other supported cloud stores — reducing friction when switching devices and simplifying recovery. 

🛠 Why This Matters
• Easier password‑less adoption — users won’t be locked into a single device. 
• Better admin controls — different security postures for different groups. 
• Automatic migration — tenants with existing passkeys will be migrated if no action is taken. 

🗓 Rollout Summary
• GA rollout began: Early March 2026
• Automatic migration window: Early April → Late May 2026 (worldwide)
• GCC/DoD environments follow shortly after.