Synced Passkeys in Microsoft Entra for Phishing-resistant MFA

Secure sign-in across all your devices without relying on passwords or extra apps using passkeys in Microsoft Entra.

Register, sync, and use passkeys with just your device’s camera and biometrics, making authentication seamless, fast, and phishing-resistant.

As an admin, control who uses which passkey type, streamline recovery with Verified ID, and automatically remediate risk in real time.

In the feature video Jarred Boone, Identity Security Senior Product Manager, shows how users can access work apps safely, confidently, and efficiently while reducing help desk overhead.

Passkeys

In an era where cyber threats are increasingly sophisticated, traditional authentication methods like passwords and even some forms of multi-factor authentication (MFA) are vulnerable to phishing attacks. Enter passkeys: a modern, standards-based approach to authentication that leverages FIDO2 technology to provide strong, phishing-resistant credentials.

Microsoft Entra ID (formerly Azure Active Directory) has embraced this innovation, supporting both device-bound and synced passkeys to enable secure, passwordless sign-ins across devices and applications. Synced passkeys, in particular, offer a balance of convenience and security by allowing credentials to sync seamlessly across multiple devices, making them an ideal solution for organizations aiming to enhance MFA without sacrificing user experience.

This article explores synced passkeys in Microsoft Entra ID, their role in phishing-resistant MFA, implementation steps, security considerations, and best practices. As of early 2026, this feature remains in preview but represents a significant step toward widespread adoption of passwordless authentication.

Understanding Passkeys in Microsoft Entra ID

Passkeys are phishing-resistant credentials rooted in the FIDO2 standard, which uses public key cryptography to authenticate users without transmitting secrets that could be intercepted or replayed. In Microsoft Entra ID, passkeys serve as a multifactor authentication method when paired with a user’s device biometrics (e.g., face recognition or fingerprint) or a PIN.

The process involves the user initiating a sign-in, Microsoft Entra ID issuing a cryptographic challenge, and the authenticator signing it with a private key—ensuring the response can only be verified by the legitimate relying party (RP).

There are two primary types of passkeys:

• Device-Bound Passkeys: These store the private key exclusively on a single physical device, such as a smartphone via the Microsoft Authenticator app or a hardware security key. The key never leaves the device, providing high assurance through hardware enclaves and supporting attestation to verify the authenticator’s authenticity.
• Synced Passkeys: Unlike device-bound variants, synced passkeys store the private key in a cloud-based passkey provider (e.g., Apple iCloud Keychain, Google Password Manager, or third-party managers like 1Password) and synchronize it across devices linked to the same account. This enables effortless onboarding and recovery, as users can access their credentials on new devices without re-registering. However, synced passkeys do not support attestation, meaning they lack proof of the authenticator’s origin.

Synced passkeys integrate with native device unlock mechanisms, allowing sign-ins in as little as 3 seconds—14 times faster than traditional password-plus-MFA flows—and boasting a 95% success rate compared to 30% for legacy methods. They enable single sign-on (SSO) to cloud and on-premises resources, including hybrid-joined Windows 11 devices.

Benefits of Synced Passkeys

The primary advantage of synced passkeys is their ability to deliver phishing-resistant MFA with minimal friction. Traditional MFA methods like SMS codes or push notifications are susceptible to social engineering, where attackers trick users into approving fraudulent requests.

Passkeys counter this through verifier impersonation resistance: the credential is bound to the specific site or app, preventing it from being used on phishing sites. Public key cryptography ensures no reusable secrets are shared, thwarting replay attacks.

From a user perspective, registration is simple—often involving scanning a QR code with a device’s camera and confirming via biometrics. Once set up, passkeys sync automatically, allowing seamless authentication across devices without additional apps or passwords. This reduces help desk calls and improves productivity, with data showing near-perfect registration success rates.

For organizations, synced passkeys lower costs by replacing vulnerable MFA options and automating risk remediation through Conditional Access policies. High-risk sessions can be revoked in real-time, forcing re-authentication with a passkey to mitigate threats automatically. They also support account recovery via Microsoft Verified ID, using government-issued IDs and selfies to issue Temporary Access Passes (TAPs) without relying on passwords.

Security Considerations and Phishing Resistance

While synced passkeys enhance security over passwords and phishable MFA, they introduce trade-offs. By syncing the private key to the cloud, they expand potential attack vectors, as the key leaves the device’s secure enclave and enters a provider’s ecosystem. This dilutes the “something you have” factor compared to device-bound passkeys, where the key remains isolated.

Phishing resistance stems from FIDO2’s design: credentials cannot be shared or replayed, and they only release to the registered RP. Synced passkeys are treated with the same security posture as unattested authenticators, suitable for most scenarios but not ideal for high-assurance environments where attestation is required. For elevated privileges, organizations should enforce device-bound passkeys with attestation.

Additional risks include user convenience leading to complacency, but these can be mitigated with layered controls like device compliance checks and location-based restrictions.

Enabling and Configuring Synced Passkeys

To implement synced passkeys in Microsoft Entra ID (preview as of January 2026), follow these steps:

1. Prerequisites: Ensure your organization is enrolled in the Passkey profiles preview. You’ll need a Microsoft Entra ID tenant and Authentication Policy Administrator permissions. Device requirements include compatible platforms (e.g., iOS 16+ for Apple, Android 9+ for Google) and supported passkey providers.
2. Enable in Admin Center: Sign in to the Microsoft Entra admin center, navigate to Security > Authentication methods > Policies. Select Passkey (FIDO2) > Configure, then add or edit a profile. Choose “Synced (preview)” as the target type and save. Assign profiles to user groups for granular control—e.g., synced for general users, device-bound for admins.
3. Advanced Configuration: Enforce attestation for device-bound passkeys via Authenticator Attestation GUIDs (AAGUIDs). Integrate with Conditional Access for risk-based policies.

Disabling synced passkeys in a profile invalidates existing registrations, preventing sign-ins until re-enabled.

Registration and Usage

Users register synced passkeys by scanning a QR code during sign-in and authenticating with biometrics or PIN. The private key syncs across devices via the provider’s cloud, enabling cross-device authentication (e.g., from iPhone to Mac). For usage, users select the passkey option at sign-in, unlocking with their device’s native method—no extra apps required.

In practice, this supports scenarios like signing into Microsoft 365 apps on new devices seamlessly. Limitations include lack of support on certain platforms (e.g., Windows for Apple Passwords) and the preview status, which may evolve.

Best Practices and Risk Mitigation

Adopt a tiered approach: Use hardware keys for privileged (Tier 0) users, device-bound passkeys for executives (Tier 1), and synced passkeys for the broader workforce. Leverage Passkey Profiles for group-specific settings, combining them with Conditional Access, mobile application management, and risk detection to offset syncing risks.

Monitor adoption carefully, prioritizing security gains while managing rollout to avoid resistance. For high-assurance needs, restrict to attested device-bound passkeys.

Conclusion

Synced passkeys in Microsoft Entra ID mark a pivotal advancement in phishing-resistant MFA, blending robust security with user-friendly syncing to eliminate passwords and vulnerable authentication methods.

By implementing this technology thoughtfully—with attention to profiles, policies, and tiered controls—organizations can significantly reduce phishing risks and streamline access management. As the feature matures beyond preview, it promises to become a cornerstone of modern identity security.