• Home
  • Microsoft Azure
  • Microsoft 365
  • Barista
  • Legal Notice
  • Privacy Policy
  • English
    • Deutsch
  • Home
  • Microsoft Azure
  • Microsoft 365
  • Barista
  • Legal Notice
  • Privacy Policy
  • English
    • Deutsch
cloudcoffee.ch

Freshly brewed with Microsoft Azure and Microsoft 365

Microsoft 365,  Microsoft Azure

Securing Identities: Microsoft Authenticator Passkey in Microsoft Entra

1. May 2024 /

Last Updated on 21. March 2026

A device-bound passkey is a FIDO2-based, phishing-resistant authentication credential where the device generates the private key and stores it securely. Microsoft Entra supports the use of a Microsoft Authenticator passkey. During sign-in, no password is transmitted. Instead, the Authenticator responds to a cryptographic challenge. The private key never leaves the device.

Advantages of device-bound passkeys:

  • Phishing-resistant: The sign-in process is protected against traditional phishing attacks
  • Device-bound: The private key is stored only on the registered device and never leaves the device
  • No passwords required: With passkeys, users do not need to enter complex passwords during sign-in
  • Cost-efficient: Native support for Microsoft Authenticator passkeys is available in Microsoft Entra

This article explains the required configuration steps in Microsoft Entra to enable a Microsoft Authenticator passkey, allow users to register it, and use it for passwordless sign-in.

Table of contents hide
1 Prerequisites and Licensing
1.1 Licenses
1.2 User Account Requirements
1.3 Supported Devices
1.4 Roles
2 Enable Passkey (FIDO2) Authentication Method
3 Register Microsoft Authenticator Passkey in Microsoft Entra
3.1 Prepare the Apple iPhone
3.2 Register a Passkey on the Apple iPhone
4 Sign In with a Microsoft Authenticator Passkey
5 Delete a Passkey
5.1 Delete a Passkey When the Device Is Available
5.2 Delete a Passkey When the Device Is Not Available
6 Conclusion

Prerequisites and Licensing

Licenses

Using Microsoft Authenticator device-bound passkeys in Microsoft Entra does not require a paid license. A Microsoft Entra ID Free license is sufficient and included in every Microsoft tenant.

User Account Requirements

The user account that registers the passkey must have multifactor authentication enabled.

Supported Devices

  • iOS 17 or later
    with the latest version of the Microsoft Authenticator app
    If Microsoft Authenticator is not the primary password manager on the device, iOS 18 is recommended. This version allows multiple password managers to be used at the same time.
  • Android 14 or later
    with the latest version of the Microsoft Authenticator app

Roles

The following role is sufficient to enable the Passkey (FIDO2) authentication method following the principle of least privilege:

RolePermission
Authentication Policy AdministratorConfigure authentication methods policies

Enable Passkey (FIDO2) Authentication Method

The Passkey (FIDO2) authentication method for Microsoft Authenticator is configured in the Microsoft Entra admin center.

After signing in to the Microsoft Entra admin center (https://entra.microsoft.com/), go to Entra ID > Authentication methods > Policies and select Passkey (FIDO2).

Microsoft Entra authentication methods policy showing Passkey FIDO2 configuration for Microsoft Authenticator passkey setup

In the Enable and Target tab, turn on Enable and select All users.
Alternatively, specific groups can be assigned.

Microsoft Entra Passkey FIDO2 settings showing enable and target configuration for Microsoft Authenticator passkey

The following options can be configured in the Configure tab:

Allow self-service setup
Allows users to register passkeys.

Enforce attestation
Requires a valid authenticator attestation during passkey registration so that Microsoft Entra can verify the manufacturer and device type. This allows key restriction policies and allowed AAGUID lists to be enforced, which is especially important in enterprise and high-security scenarios.

Enforce key restrictions
Forces the use of the configured key restriction policy. When key restrictions are not enabled, Microsoft Entra accepts all compatible FIDO2 and passkey authenticators regardless of the manufacturer. An overview of common AAGUIDs is provided by Clayton Tyger in the Entra Compatible Attestation FIDO Key Explorer.

Restrict specific keys
Determines whether the configured list of AAGUID entries is used as an allow list or block list. When set to Allow, only the listed authenticators are permitted, while Block allows all devices except those explicitly blocked.
The Microsoft Authenticator option adds the following AAGUID entries for Microsoft Authenticator passkeys:
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84

Microsoft Entra Passkey FIDO2 configuration showing Microsoft Authenticator key restriction for passkey registration

Select Save.
Users can now register device-bound passkeys using Microsoft Authenticator.

Microsoft Entra authentication methods policy showing Passkey FIDO2 enabled for Microsoft Authenticator passkey sign in

Register Microsoft Authenticator Passkey in Microsoft Entra

The Microsoft Authenticator passkey is registered by the user.
The following steps show how to register a Microsoft Authenticator device-bound passkey on an Apple iPhone. The process on Android is similar.

Prepare the Apple iPhone

Install the latest version of Microsoft Authenticator on iOS 17 or later. iOS 18 is required to use multiple password managers simultaneously.

On an Apple iPhone running iOS 18, configure the following settings under Settings > General > AutoFill & Passwords:

  1. Enable AutoFill Passwords and Passkeys
  2. Source: Authenticator
Apple iOS Password Options

After preparing the Apple iPhone, the Microsoft Authenticator passkey can be set up.

Register a Passkey on the Apple iPhone

Open Microsoft Authenticator and select the correct account.

Microsoft Authenticator showing account selection before creating a passkey for Microsoft Entra sign in

Select Create a passkey

Microsoft Authenticator showing create passkey option for Microsoft Entra passkey registration

Select Sign in

Microsoft Authenticator passkey setup screen prompting sign in to create a passkey for Microsoft Entra

Complete the sign-in. After a moment, the device-bound passkey is registered.

Microsoft Authenticator showing passkey created confirmation for Microsoft Entra passwordless sign in

Sign In with a Microsoft Authenticator Passkey

On the sign-in page for Microsoft Azure, Microsoft 365, or Enterprise Applications that use Microsoft Entra ID authentication, select Sign-in options.
For example: https://aka.ms/mysecurityinfo

Microsoft Entra sign in page showing sign in options before using Microsoft Authenticator passkey

Select Face, fingerprint, PIN, or security key

Microsoft Entra sign in options showing passkey sign in with Microsoft Authenticator

Select iPhone, iPad, or Android device

Windows security dialogue showing passkey device selection for Microsoft Entra sign in with Microsoft Authenticator

Scan the QR code using the iPhone camera.

Microsoft Entra passkey sign in showing QR code for Microsoft Authenticator passwordless authentication

Confirm the sign-in on the mobile device by selecting Continue.
If multiple passkeys are stored in Microsoft Authenticator, select the correct account.

Microsoft Authenticator passkey sign in on mobile device for Microsoft Entra passwordless authentication

The sign-in with the Microsoft Authenticator device-bound passkey at https://aka.ms/mysecurityinfo was successful.

Microsoft Entra security info page showing Microsoft Authenticator passkey registered for the user

Delete a Passkey

A Microsoft Authenticator passkey can be removed either on the registered device or through the Security info page. Both methods are shown below.

Delete a Passkey When the Device Is Available

Open Microsoft Authenticator and select the account that contains the passkey to be deleted.

Microsoft Authenticator showing account selection before removing a passkey used for Microsoft Entra sign in

Select Passkey

Microsoft Authenticator showing passkey settings for Microsoft Entra account

Select the Delete icon.

Microsoft Authenticator showing passkey details with option to delete passkey used for Microsoft Entra sign in

Select Delete and complete the sign-in.

Microsoft Authenticator confirmation dialogue to delete passkey used for Microsoft Entra authentication

The device-bound passkey was deleted.

Microsoft Authenticator account screen showing passkey management for Microsoft Entra sign in

Delete a Passkey When the Device Is Not Available

If the device with the Microsoft Authenticator device-bound passkey is no longer available, the passkey can be removed from the Security info page.
Sign in to https://aka.ms/mysecurityinfo and go to Security info > Passkey > Delete.

Microsoft Entra security info page showing delete option for Microsoft Authenticator passkey

Conclusion

Device-bound passkeys in Microsoft Authenticator enable phishing-resistant, passwordless sign-in in Microsoft Entra. The private key remains on the device. Because no additional hardware such as FIDO2 security keys is required, Microsoft Authenticator provides a cost-effective way to implement secure passwordless sign-in.

Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.

LinkedIn BlueSky

No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.

Buy Me a Coffee
  1. Temporary Access Pass in Microsoft Entra: what it is and how to use it
  2. Passwordless Sign In with Microsoft Authenticator App
  3. Microsoft Entra Privileged Identity Management (PIM) and FIDO2: Increasing the security of privileged roles
  4. Secure Emergency Access: Create and Manage Microsoft Entra Emergency Accounts with YubiKey (FIDO2)
DirectoryFIDO2Identity and Access Management (IAM)Microsoft Authenticator AppMicrosoft EntraMicrosoft Tenant HardeningMulti-Factor AuthenticationPasswordless Sign InTroubleshootingZero Trust Network Access (ZTNA)

Barista

Oliver Mueller My name is Oliver Müller and I have been working with passion and dedication in the IT industry since 1998. The diversity of Microsoft products has fascinated me from the beginning and motivated me to expand my knowledge in this area. As a Microsoft Azure Solutions Architect Expert, Microsoft MVP and MCT, my focus is primarily on the areas of Infrastructure-as-a-Service (IaaS) and Identity and Access Management (IAM).

Regardless of the complexity of the challenges that present themselves to me, I always find the optimal solutions. I often find inspiration over a cup of coffee. My solutions are not only effective but also innovative and future-oriented.

Azure Administrator Associate Azure Solutions Architect Expert
Microsoft MVP Microsoft Certified Trainer
LinkedIn BlueSky Buy Me a Coffee

If this guide was helpful, support the blog ☕

Buy Me a Coffee

Recent Posts

  • Microsoft Entra Backup and Recovery: Prerequisites, Backup, and Restore in Detail

    2. April 2026

  • Microsoft Entra Private Access: Secure Access for External Users to Internal Resources

    7. March 2026

  • Microsoft Entra Private Access BYOD: Access Internal Resources with Entra Registered Devices

    13. February 2026

  • Intelligent Local Access in Microsoft Entra Global Secure Access

    6. February 2026

  • Microsoft Entra Access Reviews: Governance for User and Guest Access

    10. January 2026

Updated Posts

  • Securing Identities: Microsoft Authenticator Passkey in Microsoft Entra

    21. March 2026

  • Microsoft Entra Private Access: Secure Access to Internal Resources and Cloud Services without VPN

    14. February 2026

  • Securing Microsoft 365 Apps with Microsoft Entra Global Secure Access

    24. January 2026

  • Microsoft Entra ID Protection: Protect Identities, Detect Risks and Mitigate Threats

    6. December 2025

  • Protect Security Info Registration with Microsoft Entra Conditional Access and Microsoft Entra ID Protection

    11. November 2025

Backup Browser Extensions Command Line Conditional Access Directory Directory Extensions Disaster Recovery Efficiency Enforce FIDO2 Global Secure Access (GSA) Guest High Availability Identity and Access Management (IAM) Microsoft Authenticator App Microsoft Defender Microsoft Entra Microsoft Entra Connect Microsoft Intune Microsoft Tenant Hardening Migration Multi-Factor Authentication Naming Passthrough Authentication (PTA) Password Hash Synchronization (PHS) Passwordless Sign In Performance Optimization PowerShell Troubleshooting Tutorials Virtual Machines Zero Trust Network Access (ZTNA)

© 2021-2026 cloudkaffee.ch
This site uses cookies to improve the user experience. By continuing to use them, you agree to this.