Microsoft Shipped Passkeys to M365. Here's How to Turn Them On.

Microsoft made passkeys generally available in Entra ID on May 7, 2026. If your business runs M365 Business Premium or E3, the feature is already in your tenant. You don’t need to buy anything, upgrade anything, or wait for anything. You just need to turn it on. The fact that 87% of enterprises are already deploying passkeys while most SMBs haven’t touched the setting is a gap worth closing before January 2027, when Microsoft removes security questions as a password reset option entirely.

This guide explains what passkeys are, why they solve problems that MFA alone doesn’t, and how to roll them out to a 100-person company in 30 days without disrupting anyone’s workday.

What Passkeys Actually Are

A passkey is a cryptographic credential stored on your device (laptop, phone, or security key) that replaces your password entirely. When you sign in, your device proves your identity using a private key that never leaves the hardware. You unlock it with your fingerprint, face, or device PIN. There’s nothing to type, nothing to remember, and nothing an attacker can intercept over the network.

The technology is built on the FIDO2 standard, but the jargon doesn’t matter for the business decision. What matters is the practical difference: with a password, your credential is a secret that gets transmitted to a server, stored in a database, and can be stolen, guessed, or phished. With a passkey, the secret never leaves your device. The server only stores a public key that’s useless without the matching private key on your hardware.

Microsoft’s Entra ID implementation supports two types. Device-bound passkeys are tied to a single piece of hardware, like a YubiKey or a Windows Hello credential on a specific laptop. Synced passkeys replicate across your devices through your platform’s cloud account (iCloud Keychain for Apple, Google Password Manager for Android/Chrome, or Windows Hello on Microsoft accounts). NIST has formally endorsed synced passkeys as phishing-resistant authentication, which means they meet the bar for compliance frameworks that require phishing-resistant MFA.

What Microsoft Shipped in May 2026

Three specific changes arrived in the May 2026 Entra ID update:

Passkeys are now generally available on Windows. Entra ID passkeys work natively in Windows Hello, Edge, and Chrome on Windows devices. Users can register a passkey directly from their security info page at mysignins.microsoft.com without IT intervention.

Passkey-preferred authentication is in preview. When enabled, Entra ID prompts users to sign in with their strongest registered credential first. If a user has registered a passkey, the sign-in page shows the passkey option before offering password entry. This nudges adoption without forcing it.

Synced passkeys are supported. Users can store Entra ID passkeys in iCloud Keychain, Google Password Manager, or a third-party password manager that supports the FIDO2 standard. This means an employee who registers a passkey on their iPhone can use it to sign into M365 on their iPad or Mac without registering again.

Additionally, Microsoft has announced that security questions will be removed as a password reset option by January 2027. That’s a clear signal about the direction: Microsoft is systematically eliminating weak authentication methods and pushing every tenant toward passwordless options.

Why Passkeys Matter More Than MFA Alone

Most SMBs that have invested in multi-factor authentication assume they’ve solved the authentication problem. MFA is a significant improvement over passwords alone, but it has real weaknesses that passkeys eliminate entirely.

MFA can be phished. Adversary-in-the-middle attacks intercept both the password and the MFA token in real time. The attacker sets up a convincing sign-in page, the employee enters their credentials and approves the MFA prompt, and the attacker captures the session before the token expires. This is not theoretical. It’s the technique behind the majority of business email compromise attacks targeting M365 tenants. Passkeys are immune to this because there’s no shared secret to intercept. The cryptographic challenge-response happens between your device and Microsoft’s servers with no human-readable credential in the middle.

Session cookies bypass MFA after login. Infostealer malware can harvest browser session cookies that let an attacker impersonate an authenticated session without ever triggering an MFA prompt. Passkeys don’t prevent session theft directly, but they enable conditional access policies that can require phishing-resistant authentication for sensitive actions, re-verifying the user’s identity at critical moments rather than trusting a session cookie indefinitely.

MFA fatigue is a real attack vector. Attackers with stolen passwords bombard employees with push notifications until someone taps “Approve” out of frustration. Passkeys eliminate this entirely because there’s no push to approve. Authentication requires a deliberate biometric scan or PIN on the device in your hand.

The business impact data from organizations that have deployed passkeys supports this: 90% report improved security outcomes, 77% see a reduction in help desk calls related to password resets, and 82% report better user experience. Fewer password resets means less burden on your IT team or managed IT provider. Fewer phishing-susceptible credentials means fewer incidents to investigate and remediate.

Before and After: What Changes for Your Team

Understanding the day-to-day difference helps explain this to your employees and leadership team.

Before (passwords + MFA):

• Employee types a password, waits for an MFA push notification, taps approve on their phone
• IT resets forgotten passwords multiple times per week across the company
• Phishing emails that capture credentials and MFA tokens can compromise accounts
• Employees reuse passwords across services, creating credential theft risks
• Help desk handles “I’m locked out” calls regularly

After (passkeys):

• Employee touches a fingerprint sensor or glances at their laptop camera, and they’re signed in
• No passwords to forget, reset, or rotate
• Phishing sites can’t capture credentials because there are no credentials to type
• Each passkey is unique to each service, so a breach elsewhere doesn’t affect your M365 tenant
• Help desk calls for authentication issues drop significantly

The experience for the employee is faster and simpler. The experience for IT is less reactive work. The security posture is measurably stronger.

A 30-Day Rollout Plan for a 100-Person Company

Passkey rollout doesn’t require a rip-and-replace approach. The most effective strategy is a phased expansion that lets you find and fix issues at small scale before they affect the full company.

Week 1: Pilot With IT (5-10 People)

Start with your IT team or the most technically comfortable group in the company. Enable the passkey authentication method in Entra ID (Authentication methods > Policies > FIDO2 security key, or Passkey). Target this pilot group specifically rather than enabling it tenant-wide.

Have each pilot member register a passkey on their primary device through mysignins.microsoft.com. Document any friction: device compatibility issues, confusion about synced vs. device-bound options, or applications that don’t support passkey sign-in yet. At this stage, passwords remain available as a fallback. Nobody is locked out of anything.

Week 2: Expand to Finance and Executives (15-25 People)

These are your highest-value targets for account compromise. Finance teams approve wire transfers. Executives have broad data access. Both are prime targets for business email compromise and phishing attacks.

Send a short communication explaining what passkeys are (one paragraph), why the company is adopting them (stronger security, simpler sign-in), and what the employee needs to do (register a passkey, which takes about two minutes). Include a screenshot or short video of the registration process. Don’t make it optional for this group, but do keep password fallback available.

Week 3: Company-Wide Enrollment (Everyone)

Open passkey registration to all employees. Use the same communication template from Week 2. Set a deadline for registration (end of Week 3) and have managers follow up with anyone who hasn’t completed it. At this point, you should have enough data from the first two weeks to answer common questions and address any device-specific issues.

Run a quick audit: pull the Entra ID sign-in logs to see what percentage of authentications are using passkeys vs. passwords. You want to see passkey usage climbing steadily. If it’s flat, the communication isn’t landing and you need direct outreach.

Week 4: Tighten Conditional Access

Once the majority of users have registered passkeys, configure conditional access policies that strengthen your M365 security posture:

• Require phishing-resistant authentication for accessing sensitive applications (finance systems, HR platforms, admin portals)
• Require re-authentication for risky sign-ins detected by Entra ID Protection (unfamiliar location, impossible travel, anonymous IP)
• Set a timeline to disable password-only sign-in for users who have registered passkeys (start with a 60-day grace period)

Don’t disable passwords globally on day one. Some legacy applications or VPN clients may not support passkey authentication yet. Audit your application portfolio during the pilot phase and identify anything that still requires a password. Those applications need a migration plan or an exception in your conditional access policy.

What Your IT Provider Should Be Doing About This

If you work with a managed IT provider or MSP, they should already be talking to you about passkey rollout. Specifically, they should be:

• Auditing your Entra ID authentication methods to identify what’s currently enabled and what needs to change
• Testing passkey compatibility across your device fleet and applications
• Building the conditional access policies that enforce phishing-resistant authentication for your most sensitive accounts
• Planning the January 2027 transition so the removal of security questions doesn’t create a gap in your password reset process
• Training your employees on passkey registration and answering questions during the rollout

If your IT provider hasn’t mentioned passkeys, ask them directly: “What is your plan for enabling Entra ID passkeys in our tenant, and what’s the timeline?” The feature is free and already available. There’s no technical reason to wait, only organizational inertia. A provider that isn’t proactively planning this rollout is behind the curve on a change that Microsoft is clearly making mandatory over time.