If you’ve been following the passwordless journey in Microsoft Entra ID, you already know passkeys have been around for a while. But until now, FIDO2 in Entra essentially meant hardware security keys – practical for your admins, not so much for 5,000 end-users who lose USB dongles faster than you can ship them.
With the March 2026 update, that changes. Synced passkeys are now GA.
Synced vs. Device-Bound – What’s the Difference?
| Type | Stored On | Survives Device Loss | Use Case |
|---|---|---|---|
| Device-bound passkey | Single device or security key | No | Privileged accounts, high-security roles |
| Synced passkey | Cloud-synced provider (iCloud Keychain, Google Password Manager, 1Password, etc.) | Yes | Broad workforce rollout |
Synced passkeys are still FIDO2-based and still phishing-resistant. The difference is they follow the user across devices. Lost your laptop? Your passkey is already on your phone.
What Shipped Alongside It
This wasn’t a standalone release. Microsoft also GA’d passkey profiles, which let you define multiple FIDO2 policies targeting different user groups. That means you can enforce device-bound passkeys for Global Admins while allowing synced passkeys for standard users – same authentication methods policy, different profiles.
On top of that, the Conditional Access Optimization Agent (public preview) now supports automated passkey adoption campaigns. It assesses readiness, generates rollout plans, and creates policies in report-only mode before enforcement. And no – it doesn’t flip switches without your approval.
Getting Started
- Navigate to Entra admin center > Authentication methods > Passkeys (FIDO2)
- Create a passkey profile for your target group
- Allow synced passkey providers (iCloud Keychain, Google, third-party)
- Assign the profile to a security group
- Monitor adoption through the authentication methods activity report
For bulk FIDO2 provisioning, check out MichaelGrafnetter/webauthn-interop – a .NET library with a PowerShell module for registering passkeys on behalf of users via Graph API.
Further Reading
- Daniel Bradley – How to Setup Synced Passkeys for iCloud Keychain
- Merill Fernando – Microsoft Is Auto-Enabling Passkeys
- Microsoft Entra Blog – Synced Passkeys and High Assurance Account Recovery
- Microsoft Learn – How to enable passkeys (FIDO2) in Microsoft Entra ID
Wrap Up
Synced passkeys remove the hardware logistics barrier that kept phishing-resistant MFA out of reach for most organizations. Combined with passkey profiles and the new CA optimization agent, you now have the tooling to roll this out at scale – without shipping a single USB key. If you’ve been waiting for the right moment to push passwordless beyond your admin accounts, this is it.