Passkey in Entra – Setup scenarios
While Passkeys now are GA in Entra, it still is a bit confusing setting up the policies and testing how the user experience is. We have done some testing, so that you don't have to.

Sjefskonsulent

FIDO-keys and Passkeys are quicky becoming the most important protection against AiTM in Entra (article in Norwegian). We have seen a lot of different issues when companies start using Passkey for their Entra sign ins.
Note that the user experience for setting up passkey is still in development, and your experience might differ from the one we are getting at the time of writing.
Note that we are not including Hello for business and other phishing resistant MFAs here. The experience is from a device that is not joined to Entra.
- If you are using the built-in «Phishing-Resistant MFA» authentication strength, the users need a “regular” MFA to be able to setup Passkey. This probably works great for existing users but might be a problem for new users where you will have to add an MFA method to the user.
- If you are using a custom authentication strength policy that accepts both TAP and FIDO, you can use TAP to setup FIDO. This eases the setup for new users who don’t have MFA already setup, as they can be given a TAP.
- If you have external users using Passkey, consider disabling “Force Attestation”.
1. Built-in Phish-resistant MFA strength
The first set of tests are against the built-in authentication strength “Phishing-resistant MFA”.
The Conditional Access Policy is simple. The test user is targeted, and the only Access Control is “Require Authentication Strength” -> “Phishing-resistant MFA”.
Conditional Access Policy, Require Phishing-resistant MFA.
Test 1.1: Username and password, no registered MFA method
The scenario here is a new user in a company that hasn’t had MFA setup previously. They are signing in for the first time with their username and password.
The result of the sign in is as follows:
Error box, “Contact your admin: To create a passkey, you need to sign in using multi-factor authentication. Contact your admin to enable additional methods to support this”
The result is that sign in fails. The reason being that the system requires MFA to setup Passkey/FIDO, and as no MFA is setup for the user the sign in fails. Having FIDO/Passkey as the only MFA will therefore not work unless you have a different way of getting into your account for the first time.
Test 1.2: Username and password, MFA method prepopulated
The scenario here is a new user in a company have had MFA already created for them, or they are an existing user that has used MFA before and are now moving to passkey.
The user signs in and are asked for their MFA.
Now, in the time of writing you do get quite a lot of redirects here, but eventually you will end up in the Passkey wizard.
Passkey wizard: Add a passkey for more secure sign in
Test 1.3: Username and Temporary Access Pass
You would think that using the Temporary Access Pass (TAP) would be a great way to bypass the requirement of using MFA for setting up Passkey. I am not sure if this is a bug, but at the time of writing this doesn’t work. I am redirected in a circle for some time before being signed out again.
Sign in error. We couldn’t sign you in. Please try again.
2. Custom authentication Strength with TAP and Passkey (FIDO)
For our next set of tests, we are using a custom authentication strength where we have added TAP and Passkey (FIDO) as the approved authentication flows.
Custom authentication strength where “Passkey (FIDO2)” and “Temporary Access Pass” is enabled.
The Conditional Access Policy is the same but have changed the Authentication Strength to our custom one.
Conditional Access Policy where the custom authentication strength from the previous image is set as a requirement.
Test 2.1: Username and password, no registered MFA method
Mostly the same scenario as 1.1, and same result:
Error box, “Contact your admin: To create a passkey, you need to sign in using multi-factor authentication. Contact your admin to enable additional methods to support this”.
The result is that sign in fails. The reason being that the system requires MFA to setup Passkey/FIDO, and as no MFA is setup for the user the sign in fails. Having FIDO/Passkey as the only MFA will therefore not work unless you have a different way of getting into your account for the first time.
Test 2.2: Username and password, MFA method prepopulated
Again, same as 1.2. User is asked for the MFA and is being asked to setup Passkey.
Passkey wizard: Add a passkey for more secure sign in
Test 2.3: Username and Temporary Access Pass
Now with the new policy the custom policy changes the user experience. As TAP is defined as an accepted authentication flow, the sign in with TAP lets the user in. And, as the TAP is accepted as a sign in flow, you won’t be asked to setup Passkey.
The user will have to manually go to: https://mysignins.microsoft.com/security-info to do setup of Passkey.
In my authentication strength policy, I only had Temporary Access Passes with “one-time use”. If you do the same and then create a multi-use temporary access pass for the user, the sign in will succeed, and you will be sent to the wizard for setting up passkey. This time the wizard will not proceed if you press “next”. It just reloads the page. I guess this is because it doesn’t accept that the multi-use TAP is valid as MFA, and you need an MFA to do the setup.
Multiple passkeys in Authenticator
While testing these scenarios, we came across an issue. If a user is setting up passkey and already have signed in to Authenticator with a different account, this might fail. I am not sure if this is by design or a bug. The error you are getting comes when you are trying to save the passkey to your account (after naming it), saying “passkey not accepted”, and that you should delete the passkey in your Authenticator and create a new one.
Error: Passkey not accepted
The workaround for this is to set “Force Attestation” to “NO” in the passkey config. Note that disabling this have its own potential security issues. Such as uses using not secure FIDO-keys.
Passkey (FIDO2) settings. Enforce attestation highlighted.