How to activate Microsoft 365 Passkey in Entra ID

Definition

Microsoft 365 Passkey is an authentication method that replaces passwords with more secure options like facial recognition, fingerprint, or a PIN.

Prerequisites

Licenses required

Microsoft 365 (all editions supporting modern authentication).

Administrator role

An account with the Global Administrator or Security Administrator role to access the Microsoft Entra Admin Center.

Others

Users must have Microsoft Authenticator (MFA) enabled.
Updated to the latest Microsoft Authenticator app (version 6.8.7 or later).
Requires at least Android 14 or iOS 17 and above.
Mobile and desktop must be connected to the Internet and have Bluetooth enabled (multi-device authentication).

Step 2 : Activate Microsoft 365 Passkey

In the left menu, click Protection, then Authentication methods.

Click Passkey (FIDO2) to activate the service and the users concerned.

Click Configure, and enable all options.

You can also enable the service via the following Graph PowerShell script:

Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
$params = @{
    "@odata.type"  = "#microsoft.graph.fido2AuthenticationMethodConfiguration"
    id             = "Fido2"
    State          = "enabled"
    includeTargets = @(
        @{
            id         = "all_users"
            targetType = "group"
        }
    )
    excludeTargets                   = @(
    )
    isSelfServiceRegistrationAllowed = $true
    isAttestationEnforced            = $true
    keyRestrictions                  = @{
        isEnforced      = $true
        enforcementType = "Allow"
        aaGuids         = @(
            "90a3ccdf-635c-4729-a248-9b709135078f",
            "de1e552d-db1d-4423-a619-566b625cdc84"
        )
    }
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId "Fido2" -BodyParameter $params