Entra ID Passkeys: Getting More Granular, But What Does It Mean for Your Security?
The world of digital authentication is constantly evolving. For those of us in IT, especially those focused on cloud security like with Microsoft Entra ID (formerly Azure AD), the shift towards passkeys feels like a significant leap forward. While SMS multi-factor authentication was once hailed as a secure option, passkeys represent a much more robust and user-friendly next step.
Microsoft has announced a significant update to its Entra ID passkey support, with message center notification MC1097225 outlining changes coming in November 2025 (December 2025 for government clouds). Currently, Entra ID allows for tenant-wide controls over passkey usage. However, this upcoming change will introduce the ability to manage up to ten distinct passkey profiles per tenant.
What Does This Mean for Your Business?
This move towards more granular control is generally a positive development. It means that organisations can start to define policies for specific departments or user groups, dictating exactly what types of passkeys are permitted for authentication. Imagine being able to set up a policy for your marketing team that allows a wider range of passkey options, while maintaining stricter controls for your finance department. This offers a fantastic opportunity to balance security needs with user convenience.
A Potential Catch to Be Aware Of
While enhanced control is a good thing, there’s a subtle but important aspect to this change that businesses need to understand before diving in. When a tenant opts into this new, more granular passkey management approach, Entra ID will transition to a new schema for defining passkey policies.
Here’s where it gets interesting: your existing passkey settings will likely become the default policy. Crucially, if the “enforce attestation” setting within this default policy is disabled, Entra ID will become less particular about the types of passkeys it accepts.
In enterprise settings, it’s common practice to define which specific passkeys or FIDO2 keys your organisation trusts, often by specifying their Authenticator Attestation GUIDs (AAGUIDs). This ensures that only approved hardware or software authenticators can be used.
However, with the change to the new schema and the potential for “enforce attestation” to be disabled in the default policy, Microsoft states that Entra ID will start accepting a broader spectrum of security key and passkey providers. This could open the door to more security keys and passkey options being registered and used for authentication.
Why This Matters to You
While this might sound like a minor technical detail, it’s essential. If your current passkey configuration doesn’t enforce attestation, then any user covered by the default policy after the switchover could potentially choose any passkey type they prefer.
Some organisations might be perfectly comfortable with this increased flexibility. However, others will have invested time and effort into meticulously selecting and approving specific passkey types for their environment. For these businesses, the non-enforcement of attestation could be a significant concern. It’s wise to consider this topic carefully and decide whether enforcing attestation remains a priority for your organisation.
Microsoft has indicated that no administrator action is strictly necessary for this change to take effect, as it will be deployed automatically. You might not even notice anything has changed unless you actively review your authentication methods.
It’s worth noting that if you currently use Graph API or third-party tools to manage your authentication policies, these tools might not fully adopt the new schema until the feature reaches General Availability, which is anticipated to be in early to mid-2026.
Securing Your Future Authentication
The move towards passkeys and more granular control is an exciting step in improving digital security. However, understanding the nuances of these updates, particularly around attestation, is crucial for maintaining your desired security posture.
As a Managed Service Provider, Byte By Byte Ltd is dedicated to helping small to medium-sized businesses navigate these complex IT changes. We can assist you in understanding the implications of these Entra ID updates for your specific environment and ensure your authentication methods are both secure and efficient.
Considering your organisation’s security strategy? Want to ensure you’re prepared for the latest authentication advancements in Entra ID? Get in touch with Byte By Byte Ltd today to discuss how we can help secure your digital future.