Why move to Passkeys (FIDO2) now?

Passwords are still the root cause of most breaches—75 % of credential attacks succeed because users reuse or disclose them. Passkeys (FIDO2) replace passwords with cryptographic keys tied to a specific user and device, blocking phishing and MFA fatigue in one move. With Microsoft Entra ID you can roll out passkeys in hours, not weeks, using native tools you already own.

Requirements

To enable Passkeys (FIDO2) in your tenant, your environment must meet the following prerequisites:

• Users must have recently completed multifactor authentication (MFA) (within the last five minutes) before registering a passkey (FIDO2)

• Users need a compatible security key or authenticator, such as a FIDO2-certified hardware key or Microsoft Authenticator, eligible for attestation with Entra ID.

• Devices must support passkey (FIDO2) authentication. For Windows devices, Entra-joined Windows 10 (1903+) or hybrid-joined Windows 10 (2004+) provides the smoothest experience

• Cross-platform support is available out of the box for Passkeys (FIDO2) on Windows, macOS, Android, and iOS. See Microsoft’s compatibility matrix for full details

1 – Enable Passkeys (FIDO2) in Entra

1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

2. Browse to Entra ID > Authentication methods > Policies > Passkeys (FIDO2)

3. Set the toggle to Enable. Select All users or Add groups to select specific pilot groups.

4. On Configure tab:

   • Allow self‑service setup → Yes (lets users add passkeys in their Security info).

   • Enforce attestation → Yes if you want to allow only genuine, vendor‑verified passkeys; No to allow any passkey type.

   • (Optional) Key restrictions → Yes to permit or block specific key models (by AAGUID).

5. Click Save.

2 – Enforce Passkey (FIDO2) Sign‑In with a Custom Authentication Strength

1. Sign in to the Microsoft Entra admin center with a Conditional Access Administrator account.

2. Go to Entra ID > Authentication methods > Authentication strengths and select New authentication strength.

3. Enter a Name (and optional Description) for the strength.

4. Under Methods, check Passkeys (FIDO2).

5. (Optional) To allow only a specific security‑key model or passkey provider, expand Advanced options, choose Add AAGUID, paste the device’s AAGUID, then Save.

6. Select Next, review the configuration, and Create.

Now the pilot users must authenticate with a passkey; passwords, and SMS are no longer accepted for them.

3 – User registration (two‑minute process)

1. The user goes to https://mysignins.microsoft.com/security-info.

2. Click Add sign‑in method > Security key / Passkey.

3. Insert or tap the USB/NFC key or approve the platform passkey prompt (Windows Hello, Face ID, etc.).

4. Give the key a friendly name. Done—no password needed at next sign‑in.

4 – Test & expand

Monitor sign‑in logs for a week and if everything checks out, expand the policy to All users.

Outcome

In a single afternoon you deploy Passkeys (FIDO2) throughout Microsoft 365, eliminate phishable passwords, and raise Secure Score—without extra licensing or hardware for every employee.

How PlexHosted can help

PlexHosted is a Microsoft‑certified managed security partner focused on the Microsoft 365. We assess your environment, deploy best‑practice controls, manage identity and endpoint policies, and provide clear security reports—so you stay compliant and protected without stretching internal resources. Let our experts handle the day‑to‑day configuration, tuning, and incident follow‑up while your team concentrates on core business goals.