Authentication strength improvements to support passkeys
Conditional Access authentication strengths in Microsoft Entra ID will be improved to support registration of device-bound passkeys (defined at passkeys.dev) stored on computers, security keys, and mobile devices.
When this will happen:
Public Preview: Microsoft will begin rolling out early March 2024 and expect to complete by mid-March 2024.
Worldwide: Microsoft will begin rolling out late April 2024 and expect to complete by early May 2024.
How this will affect your organization:
End user registration
Prior to this change, users who were in-scope for authentication strength enforcement who could not satisfy passkey (FIDO2) authentication requirements received an error message asking users to manually register the passkey (FIDO2) method.
With this rollout, in My Security Info, new registration options called Passkey (preview) and Passkey in Microsoft Authenticator (preview) will be shown to users who are interrupted to register a passkey (FIDO2) method to satisfy authentication strength requirements. Users that are required to register a passkey in Microsoft Authenticator will see a dedicated registration experience. Users whose organization requires specific passkeys from various vendors and manufacturers will be shown allowable AAGUIDS of the passkeys they can choose to register. No changes are expected to existing Conditional Access policies targeting security information registration.
Current:
New:
What you need to do to prepare:
For more information on changes to Microsoft Entra support for passkeys (FIDO2), please review Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business) | Thibault Chatiron
No action is needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate.
No Comments