Lessons Learned from a FIDO2 Passkey Pilot in Microsoft Entra ID

Passwords have been the weakest link in security for decades. They’re easy to forget, easy to steal, and increasingly ineffective against modern threats. Many organizations are now moving toward phishing-resistant, passwordless authentication—and FIDO2 passkeys are leading the way.

This post shares real lessons learned from a pilot rollout of FIDO2 passkeys in Microsoft Entra ID (formerly Azure AD). The goal was simple: introduce passwordless authentication using FIDO2 security keys and passkeys in Microsoft Authenticator—without disrupting existing MFA workflows or causing user lockouts.

Here’s what worked, what didn’t, and what others should know before starting a similar journey.

1. Enable FIDO2 in Entra ID First — Or Users Won’t See It

One of the first surprises: users can’t register a passkey at https://mysignins.microsoft.com/security-info unless the method is explicitly enabled in the Authentication Methods policy.

✅ Lesson: In Entra ID, go to Protection → Authentication methods → Policies → Passkey (FIDO2). Enable it and scope it to a pilot group. Also, set Allow self-service setup to Yes.

2. Start with a Pilot Group — Don’t Go Tenant-Wide

Rolling out to everyone at once is risky. A small, tech-savvy pilot group helped uncover edge cases and refine documentation before scaling.

✅ Lesson: Use security groups to control who can register passkeys. Start small, gather feedback, and iterate.

3. Temporary Access Pass (TAP) Is a Must-Have

Some users lacked a second MFA method or were new hires. Without an existing MFA method, they couldn’t register a passkey—leading to support tickets.

✅ Lesson: Enable Temporary Access Pass in the Authentication Methods policy. TAP provides a secure, time-limited way for users to register a passkey without needing a password.

4. Conditional Access Can Break Things — If You’re Not Careful

Conditional Access policies requiring phishing-resistant MFA can override preferred MFA methods. In one case, users with Microsoft Authenticator were forced into a passkey registration loop when CA required FIDO2.

✅ Lesson: Don’t enforce CA policies requiring FIDO2 until users have registered a passkey. Use Report-only mode first to identify readiness. Exclude the Security Info registration portal and Authenticator app from CA policies during onboarding to avoid lockouts.

5. Authenticator Passkeys Are Great — But Require Modern Devices

Many users preferred storing their passkey in Microsoft Authenticator. It’s smooth—but only works on iOS 17+ and Android 14+. Some users needed device updates or a physical security key.

✅ Lesson: Communicate device requirements clearly. Offer both Authenticator and physical key options.

6. Monitor, Support, and Iterate

Tracking registration progress and monitoring helpdesk tickets was critical to pacing the rollout and providing targeted support.

✅ Lesson: Use Entra ID reporting tools to monitor adoption. Adjust rollout speed based on support volume and user readiness.

7. Communicate Early and Often

Clear communication made the difference. Step-by-step guides, FAQs, and live support sessions helped users understand benefits and registration steps.

✅ Lesson: Don’t assume users will figure it out. Proactive communication reduces confusion and builds trust.

Final Thoughts

Rolling out FIDO2 passkeys in Microsoft Entra ID is a powerful step toward a passwordless future—but it requires thoughtful planning. By enabling the right policies, using TAP for onboarding, and phasing enforcement through Conditional Access, organizations can introduce passkeys without disrupting users.

The next phase? Expanding the rollout organization-wide and enforcing phishing-resistant MFA for high-value applications and roles.

Have you started your passwordless journey? What challenges have you faced? Share your experiences below.