Microsoft Rolls Out Entra Passkeys on Windows for Phishing-Resistant Auth in Late April

Microsoft is deploying passkey support for Entra ID-protected resources on Windows devices starting late April 2026. The rollout enables phishing-resistant, passwordless authentication for Entra-joined and registered devices, replacing password and legacy MFA flows as the default for enrolled users.

Passkeys bound to Windows Hello are device-bound credentials that cannot be phished or replayed — a significant improvement over TOTP and push-notification MFA. Security teams using Entra should validate their Conditional Access policies to require phishing-resistant MFA and plan migration of service accounts and shared device scenarios, which require additional handling outside the standard passkey flow.