Microsoft Entra Adds Passkey Support to Registration Campaigns

What changed

Microsoft announced that Passkey (FIDO2) authentication can now be offered through Entra ID Registration Campaigns. The feature, previously limited to methods such as Microsoft Authenticator or phone‑based OTP, now lets administrators embed a passkey enrollment prompt directly into the sign‑in flow. When a user logs in, they see a banner offering two choices: register a passkey immediately or snooze the request for a configurable number of days. After the snooze period expires, the enrollment becomes mandatory unless the admin has disabled the campaign.

The update is part of Microsoft’s broader push to retire passwords across enterprise tenants. By moving passkey enrollment into the automated campaign engine, Microsoft reduces the reliance on ad‑hoc emails or help‑desk tickets, and it guarantees that every eligible user will eventually be prompted to adopt a phishing‑resistant credential.

---

Provider comparison

Feature	Microsoft Entra Registration Campaigns (now with Passkeys)	Okta Adaptive MFA (Passkey option)	OneLogin Passkey Rollout
Enrollment trigger	Login‑time banner, configurable snooze, optional mandatory enforcement	Email invitation or admin‑initiated push, no built‑in snooze	Admin‑driven bulk invitation, optional in‑app prompt
Management model	Microsoft‑managed (default) or custom state; admins can lock the default to Passkey	Fully admin‑controlled; requires separate policy to enable Passkey	Hybrid – admin can enable Passkey globally but enrollment still manual
Prerequisites	Passkey method enabled, self‑service allowed, no AAGUID restrictions, at least one synced/device‑bound passkey user	Passkey method enabled, supported devices registered, optional AAGUID whitelisting	Passkey method enabled, device compliance policies in place
Pricing impact	No extra charge beyond existing Entra ID license; passkey method is included in the authentication methods quota	Passkey support included in standard Okta Adaptive MFA pricing; no extra per‑user fee	OneLogin’s Passkey feature is part of the Enterprise plan; no incremental cost
Reporting	Built‑in campaign status dashboard; shows % of users enrolled, snooze count, and enforcement date	MFA usage reports include passkey enrollment stats, but separate dashboards required	Enrollment metrics available via the “Passkey Adoption” widget
Migration considerations	Switch from Microsoft‑managed to custom only if you need granular control; otherwise, let Microsoft push the default automatically	May need to create a separate MFA policy to avoid conflicts with existing OTP methods	Requires a phased rollout if you already have OTP or push‑based MFA in place

Key takeaway: Microsoft’s approach is the most hands‑off. By default the platform will silently adopt Passkeys as the primary method, whereas competitors require explicit policy creation and often a separate communication effort.

---

Business impact

1. Reduced admin overhead – The campaign eliminates the need for mass email campaigns or ticket‑driven enrollment. Admins can set a snooze period (e.g., 7 days) and let the system handle follow‑up reminders.
2. Higher security posture – Passkeys are phishing‑resistant and remove the password secret from any server‑side store. For regulated industries, this aligns with NIST 800‑63B recommendations for “password‑less” authentication.
3. User experience boost – Employees can authenticate with a biometric on a trusted device, cutting login time to a single tap. Studies from the FIDO Alliance show a 30 % reduction in login friction when passkeys replace OTP.
4. Compliance simplification – Because the credential never leaves the device, audit logs show a clear cryptographic proof of possession, easing the burden of demonstrating “no password” controls during external assessments.
5. Cost neutrality – The feature does not introduce new licensing tiers. Organizations already paying for Entra ID can enable the campaign at no extra charge, making the ROI primarily security‑driven.

Migration checklist

• Verify that Passkey (FIDO2) is enabled under Authentication methods in the Entra admin centre.
• Confirm self‑service setup is allowed for your tenant (default setting).
• Ensure no AAGUID restrictions are active unless you have a device‑specific policy.
• Review the Registration campaign state – leave it on Microsoft‑managed if you prefer the automatic rollout, or switch to custom to control default method and snooze length.
• Run a pilot with a small user group; use the built‑in campaign dashboard to monitor enrollment rate and snooze usage.
• Communicate the change to end‑users, highlighting the convenience of biometric login and the security benefits over SMS or OTP.

---

How to enable the Passkey registration campaign

1. Sign in to the Entra admin centre.
2. Navigate to Entra ID → Authentication methods → Registration campaign.
3. If the page shows Microsoft‑managed, the tenant will automatically adopt Passkeys when Microsoft rolls out the default. To take explicit control, toggle the state to Custom.
4. In the Default authentication method dropdown, select Passkey (FIDO2).
5. Set the Snooze period (e.g., 7 days) and decide whether the campaign should become mandatory after the snooze expires.
6. Save the configuration. The next time a user signs in, they will see the enrollment prompt.

---

Final thoughts

Embedding Passkey enrollment into Entra’s Registration Campaigns removes the “manual nagging” step that many IT departments struggle with. The move nudges organizations toward a password‑less future while keeping the rollout cost‑neutral and centrally managed. For enterprises that have already invested in Windows Hello for Business or Azure AD‑joined devices, the transition is virtually frictionless. Companies still on legacy OTP or SMS should treat the campaign as a low‑risk pilot that can be scaled organization‑wide with a single configuration change.

Featured image: Microsoft Entra’s new Passkey registration flow