March 2026 is here! Synced Passkeys and Passkey Profiles rollout?
š¤ Matejās Copilot Brief
Microsoft is bringing Passkey Profiles and Synced Passkeys to General Availability in March 2026.
Until now, Microsoft Entra ID supported primarily device-bound passkeys. These credentials are stored on a specific device and cannot be synchronized across password managers or ecosystems such as Apple iCloud Keychain, Google Password Manager, 1Password, or Bitwarden.
Passkey Profiles introduce policy-based control over passkey usage. Administrators can define how passkeys are registered and enforced across users and groups.
Synced passkeys expand usability. They allow credentials to be securely synchronized across devices using supported password managers, improving cross-device experience and reducing registration friction.
The change addresses one of the key adoption barriers of passkeys: usability across multiple devices.
š§āš» Matejās Take
This was one of the missing pieces in Entra ID. Device-bound passkeys are technically stronger because the credential never leaves the device. However, adoption has been limited.
Users change devices. They reinstall operating systems. They expect portability.
Synced passkeys lower that friction.
Yes, they are slightly weaker than device-bound passkeys from a pure security standpoint. But they are still phishing-resistant and significantly stronger than traditional MFA methods such as OTP codes or push-based authentication vulnerable to advanced phishing attacks.
If the choice is between:
Synced passkey
SMS / OTP / weak MFA
The answer is clear.
This change moves Entra ID in the right direction.
Now the question is adoption.
š Action for Security Teams
Review the GA timeline and Message Center notification (MC1221452).
Understand the difference between device-bound and synced passkeys.
Define Passkey Profiles aligned with your risk appetite.
Pilot synced passkeys with security-savvy users first.
Update authentication strength policies if needed.