Back to all videos

Automatic Passkey Rollout Update

By John Savill's Technical Training

Identity and Access ManagementMulti-Factor AuthenticationCloud SecurityMicrosoft Entra ID
Share:

Passkey Profile Auto-Enablement in Entra ID: A Detailed Overview

Key Concepts:

  • Passkeys: Cryptographic authentication mechanisms offering phishing resistance and fast authentication.
  • Synced Passkeys: Passkeys that synchronize across a user’s devices within a specific ecosystem (Apple, Android, Chrome).
  • Device-Bound Passkeys: Passkeys tied to a specific device (e.g., a USB dongle, authenticator app on a single phone) and do not synchronize.
  • Attestation: Cryptographic verification of a passkey’s origin and integrity through hardware and a trusted root signing certificate (FIDO2).
  • Passkey Profiles: Configurations within Entra ID that define the types of passkeys (device-bound, synced) and attestation requirements allowed in a tenant.
  • Conditional Access: Entra ID policies that enforce additional security requirements beyond authentication, such as device management status.
  • Registration Campaign: A feature to encourage users to register for a specific authentication method (now transitioning to promote passkey adoption).

1. The Benefits of Passkeys & Introduction to the Change

The video focuses on an upcoming change in Microsoft Entra ID regarding the automatic enablement of passkey profiles for tenants. Passkeys are highlighted as a significant security improvement over traditional authentication methods due to their inherent phishing resistance. This resistance stems from three key features: proximity requirements (Bluetooth, NFC, or USB connection between the device and the passkey), domain validation (preventing use on spoofed websites like microfive.com instead of microsoft.com), and speed of authentication.

The speaker emphasizes that passkeys are about authentication – proving a user’s identity – and are distinct from authorization, which determines what a user is allowed to access. Conditional Access policies in Entra ID can be layered on top of passkey authentication to enforce further security measures, such as requiring a managed device. As stated by the speaker, “The passkey strength is just one factor I can use as part of my conditional access.”

2. Device-Bound vs. Synced Passkeys: A Comparative Analysis

Previously, Entra ID supported two main types of passkeys: device-bound and synced.

  • Device-bound passkeys were tied to a specific device, like a FIDO2 security key or the authenticator app on a single phone. They did not synchronize across devices. Attestation was a feature available with device-bound passkeys, providing cryptographic proof of the passkey’s origin through the device’s hardware and a trusted root signing certificate from FIDO2.
  • Synced passkeys, introduced with support for synced passkeys in Entra, synchronize within an ecosystem (Apple, Android, Chrome). A passkey created on one device within the ecosystem becomes available on all other devices within that ecosystem. However, syncing does not occur across different ecosystems.

A critical limitation of synced passkeys is the inability to utilize attestation. This is because there is currently no standardized method for verifying the integrity of a passkey when it can reside on multiple devices. The speaker clarifies, “with synced you cannot do that attestation because there is no agreed upon standard on hey how can a key be attestation approved and guaranteed if it could be on many different parts of hardware.”

3. Passkey Profiles and the Upcoming Auto-Enablement

The core of the update revolves around passkey profiles. Before this change, administrators could create passkey profiles to specify whether to allow device-bound and/or synced passkeys, and whether attestation was required. A profile could not simultaneously allow synced passkeys and require attestation.

Microsoft is now automatically enabling passkey profiles for all tenants. The configuration of this new default profile will be determined by the existing settings for FIDO2 authentication methods. Specifically:

  • If attestation is currently enabled for FIDO2: The default profile will only allow device-bound passkeys.
  • If attestation is currently disabled for FIDO2: The default profile will allow both device-bound and synced passkeys.

The rollout schedule is as follows:

  • Worldwide (General): March (preparation), April-May (automatic enablement)
  • GCC, GCC High, DoD: April (preparation), June (automatic roll out)

The speaker notes that any existing targeting configurations (e.g., assigning a passkey profile to specific user groups) will be carried over to the new default profile. Administrators can continue to create and refine additional passkey profiles to meet specific organizational needs.

4. Changes to the Registration Campaign

The registration campaign feature, previously used to encourage users to adopt methods like SMS or phone calls for MFA, is being updated to promote passkey adoption.

  • If synced passkeys are enabled, the registration campaign will encourage users to set up synced passkeys.
  • If only device-bound passkeys are enabled, the campaign will promote Microsoft Authenticator.
  • If the registration campaign is disabled, it will remain disabled.

5. Technical Details & Entra ID Interface Changes

The video demonstrates the expected changes within the Entra ID interface. The existing FIDO2 authentication method enablement setting will disappear, as passkeys will be enabled by default. Administrators will then see a new “default passkey profile” under Authentication Methods > Policies. This profile will reflect the configuration determined by the existing attestation setting. The speaker emphasizes that existing profile targeting and Conditional Access policies will be honored.

6. Conclusion & Actionable Insights

The auto-enablement of passkey profiles in Entra ID represents a significant step towards enhancing security and improving the user experience. The key takeaway is that Microsoft is making passkeys more accessible while respecting existing configurations. Administrators should:

  • Review their current FIDO2 authentication method settings to understand how the default passkey profile will be configured.
  • Familiarize themselves with passkey profiles and consider creating additional profiles to tailor passkey access to different user groups.
  • Monitor the rollout schedule and prepare for the changes in the Entra ID interface.
  • Leverage Conditional Access policies to further strengthen security by combining passkey authentication with other factors like device compliance.

The speaker concludes with a call to action: “So the whole goal here is pass keys are very much superior when we think about the security. And so what they're going to do is enable them now for everyone as a choice.” This highlights Microsoft’s commitment to promoting a more secure authentication landscape through the widespread adoption of passkeys.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Automatic Passkey Rollout Update". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video