Microsoft Entra ID Synced Passkeys Preview

Introduction: why this matters

MFA adoption continues to rise, but many organizations still struggle with user friction, training overhead, and helpdesk cost—especially when users lose access to their authentication methods. At Ignite 2025, Microsoft introduced synced passkeys and high-assurance account recovery for Entra ID, now available in public preview, aiming to make strong authentication easier to deploy and simpler for end users.

What’s new

1) Synced passkeys (public preview)

Synced passkeys remove passwords entirely and let users sign in using biometrics or a device PIN, with passkeys syncing across devices via platforms like iCloud Keychain and Google Password Manager.

Key benefits highlighted by Microsoft:

• Higher sign-in success versus legacy methods (Microsoft consumer data cited: 95% vs 30%).
• Faster sign-in compared to password + code-based MFA (cited: 14x faster).
• Phishing-resistant authentication, reducing exposure to credential theft and OTP interception.
• Broad native OS support across major platforms.

2) Passkey profiles for granular admin control

To address common rollout concerns (enrollment friction, inconsistent UX, helpdesk tickets), Entra ID introduces group-based configuration for passkey authentication.

Admins can define requirements per group, such as:

• Attestation requirements
• Passkey type (device-bound vs synced)
• Specific passkey provider controls

This shifts passkeys from a single tenant-wide toggle to a policy-driven deployment model aligned with real-world personas and risk profiles.

3) High-assurance account recovery with ID + biometrics (public preview)

When users lose access to their normal sign-in methods (including passkeys), recovery becomes the weak link—and a target for impersonation and social engineering. Microsoft’s new recovery flow uses government-issued ID verification plus an AI-powered biometric match.

How it works:

• Users select “Recover my account” in the Entra sign-in experience.
• They complete remote document verification (e.g., driver’s license, passport).
• They perform a Face Check (liveness + selfie matched to the ID photo) using Microsoft Entra Verified ID Face Check powered by Azure AI services.
• Entra ID matches verified attributes (e.g., name/address) against the organization’s directory/HR system.
• After recovery, users are prompted to register a synced passkey to reduce future lockouts.

Organizations can choose ID verification providers via the Microsoft Security Store: Idemia, LexisNexis, and AU10TIX, with coverage across 192 countries.

Impact for IT admins and end users

• Lower helpdesk volume and cost by reducing password resets and fragile recovery methods.
• Improved security posture by pushing phishing-resistant auth and stronger recovery controls.
• More predictable deployments using group-scoped passkey profiles and staged enablement.
• Better end-user experience with fewer codes, fewer failures, and a guided recovery journey.

Action items / next steps

1. Pilot synced passkeys with a controlled user group; validate device/platform readiness and user communications.
2. Create passkey profiles by persona (e.g., frontline, contractors, privileged admins) and define provider/attestation requirements.
3. Evaluate account recovery requirements (privacy, compliance, HR attribute matching) and run simulations before production enablement.
4. Select an IDV provider in Microsoft Security Store and plan operational support for recovery scenarios.

Licensing notes

• Passkeys: Included for all Microsoft Entra ID customers
• Account recovery: Included with Microsoft Entra ID P1
• Face Check: Add-on per verification or included with Microsoft Entra Suite
• Government ID check: Pay-per-verification via Microsoft Security Store