Microsoft Is Auto-Enabling Passkeys in March 2026

Entra.Chat

0:00

-52:17

Microsoft Is Auto-Enabling Passkeys in March 2026

Here’s What You Need to Know

Merill Fernando

Feb 14, 2026

March 2026 is shaping up to be one of the most important months for Microsoft Entra ID administrators in recent memory.

Microsoft is automatically enabling passkey profiles in Entra ID, and if you don’t configure them yourself, your tenant will be migrated with default settings.

In this episode of Entra Chat, I sat down with Microsoft Security MVPs Daniel Bradley and Ewelina Paskowska to break down what this really means for Microsoft 365 administrators.

But passkeys aren’t the only story this month.

1️⃣ Passkey Profiles Are Becoming the Default

Starting March 2026:

Passkey profiles will be auto-enabled
Tenants that haven’t configured profiles will be migrated
Registration campaigns will shift from Authenticator-first to passkey-first

This is a major shift toward phishing-resistant authentication.

You’ll now be able to:

Separate hardware-backed vs synced passkeys
Apply granular group-based controls
Enforce stronger authentication for privileged users

2️⃣ Source of Authority Conversion Is Finally GA

For years, admins used messy delete-and-restore hacks to convert synced users to cloud-only.

Now it’s officially supported.

You can convert individual users from on-premises authority to cloud-managed — without breaking hybrid entirely.

Why this matters:

Easier M&A transitions
Full access to Entra ID Governance features
Cleaner lifecycle management
Reduced dependency on legacy infrastructure

For hybrid environments moving toward cloud-first identity, this is huge.

Sponsored by:

If you are a systems administrator managing endpoints every day, you’ve probably postponed patching at least once — not because you forgot… But because you didn’t feel like gambling with uptime. Meanwhile, the backlog grows, vulnerabilities pile up, and patching stays stuck in manual mode.

Action1  fixes that.

Action1 is a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps — all from one place, no VPN needed. Curious how easy it is to start? You can use it on your first 200 endpoints, for free, forever, with no functional limits. It’s not a disguised free trial. No credit card required, no hidden limits, no tricks.

All you have to do is visit on.action1.com/entrachat and get started today.

So, if you’re looking to automate patching at scale and get weeks— even months—of your time back, go to on.action1.com/entrachat and sign up for patching—that—just—works.

Visit Action1 and get started today

3️⃣ App Registration Deactivation (A Quietly Powerful Feature)

Microsoft added the ability to deactivate app registrations.

Instead of deleting an app (and losing configuration), you can now:

Immediately stop token issuance
Preserve metadata and permissions
Investigate safely
Re-enable without rebuilding

For incident response scenarios — especially in multi-tenant or MSP environments — this is a big step forward.

4️⃣ Conditional Access Behavior Changes

There’s also a change impacting tenants with Conditional Access policies targeting “All resources” but excluding certain apps.

Previously, certain minimal-scope apps could bypass enforcement under specific conditions.

That loophole is closing.

Admins should:

Review message center notifications
Audit legacy apps
Validate MFA handling before rollout

As always with identity changes: being proactive is critical.

5️⃣ Sync Security Hardening (Hard Match Protection)

Microsoft is adding additional validation to protect against malicious hard matching scenarios in hybrid environments.

This reduces the risk of identity takeover via manipulated on-prem objects.

It’s automatic — but important to understand if you manage hybrid identity or MSP transitions.

Watch the full episode for the deep technical breakdown and real-world implications.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Daniel Bradley

Daniel is a Senior Solution Architect for CDW and Microsoft MVP in Identity & Graph API. He is a avid writer who enjoys investigating new features and building practical tools to share with the community through his blog. He also is one of the moderators for the r/entra subreddit.

Website: https://ourcloudnetwork.com
LinkedIn: https://www.linkedin.com/in/danielbradley2
X: https://x.com/DanielatOCN

About Ewelina Paczkowska

Ewelina is a Solution Architect at Theatscape and a Microsoft Security MVP. She is a content creator and speaker who enjoys breaking down complex solutions into clear, practical guidance. Ewelina is also an organiser of the Microsoft 365 Security & Compliance user group and the creator behind Welka’s World, where she shares insights and real-world knowledge around Microsoft security and compliance.