Microsoft is expanding passwordless security across Windows by introducing passkey authentication through Microsoft Entra. The new capability allows users to sign in to Entra-protected resources using Windows Hello instead of traditional passwords, adding stronger resistance against phishing attacks and credential theft.
The feature will roll out as an opt-in public preview starting in mid-March 2026 and continuing through late April for global Microsoft 365 tenants. Government cloud environments will receive the preview shortly after, with deployments scheduled between mid-April and mid-May. Once enabled, the update allows organizations to adopt passkeys as an authentication method on Windows devices.
Passkeys generated through Entra are tied directly to the device where they are created. They are stored securely inside the Windows Hello container and verified using biometric authentication such as facial recognition or fingerprint scanning, or through a PIN. Because the passkey never leaves the device and is not transmitted across the network, attackers cannot capture it through phishing campaigns or many forms of malware designed to steal login credentials.
One of the most significant aspects of the update is support for unmanaged Windows devices. Until now, passwordless authentication with Entra primarily focused on machines that were joined or registered with an organization’s directory. Personal computers or shared systems often still required passwords when accessing corporate resources. Passkeys close that gap by allowing users to authenticate securely even when the device is not formally enrolled in the organization’s environment.
Each Entra account creates its own passkey for every device used. A single machine can hold multiple passkeys tied to different accounts, but they remain locked to that device and cannot be synchronized across systems. If a user signs in from another computer, a new passkey must be registered there.
Organizations that want to participate in the preview will need to enable FIDO2 authentication within Microsoft Entra and create a passkey profile that includes the required Windows Hello identifiers. Administrators can then assign the policy to selected groups and allow users to begin registering passkeys on supported systems.
Microsoft notes that Windows Hello for Business will remain the primary authentication approach for managed corporate devices that are already joined to Entra. The new passkey support is intended to complement that environment by securing devices outside traditional management boundaries. Passkeys also cannot be used for signing directly into the Windows operating system itself. They are designed to authenticate access to Entra-protected services and applications.
The company has been steadily pushing toward a future without passwords. In 2024 Microsoft introduced passkey support for personal Microsoft accounts and integrated passkey management directly into Windows Hello. A year later, it announced that newly created Microsoft accounts would be passwordless by default. Bringing passkeys into Entra for Windows devices continues that strategy by extending phishing-resistant authentication deeper into enterprise environments.
The shift reflects a broader industry move away from passwords, which remain one of the weakest links in modern security. Passkeys rely on cryptographic keys that are far harder to steal or reuse. By binding authentication to both the user and the device, the model significantly reduces the risk posed by phishing, credential stuffing, and brute-force login attempts.
For organizations that rely heavily on Microsoft 365, the preview offers a glimpse of what the next phase of identity security may look like. Passwords are still supported, but their role continues to shrink as passkeys and other hardware-backed authentication methods become more widely adopted.
