What changed
Microsoft updated the Microsoft Entra What’s new page for June 2026 with a useful identity change: registration campaigns now support passkeys (FIDO2) as an authentication method.
The practical meaning is simple. Admins can use a registration campaign to nudge users during sign-in to register a passkey, instead of relying only on email reminders, helpdesk instructions, or one-off rollout communication.
Microsoft describes this as General Availability. The first rollout experience is optimized for users who are in a passkey profile without restrictions.
Why admins should care
Passkeys are one of the cleaner paths toward phishing-resistant authentication in Microsoft Entra ID. The hard part is not only enabling the method. The hard part is getting real users to register it at scale without turning the rollout into manual chasing.
This change moves part of that adoption work into the sign-in flow.
For many Microsoft 365 environments, that is useful because passkey projects often get stuck between three teams:
- identity admins enable the method
- endpoint teams handle platform readiness
- service desk handles user guidance and exceptions
A registration campaign does not remove the need for planning, but it gives admins a more controlled way to push adoption once the prerequisites are ready.
What I would check first
I would not turn this on broadly before checking the basics.
First, go to Microsoft Entra admin center > Protection > Authentication methods and review the passkey / FIDO2 configuration. Confirm who is in scope, whether restrictions are configured, and whether the target users are actually ready to register.
Then check the registration campaign configuration under the authentication methods experience. The key question is not only “can users register?”. It is “which users should be nudged now, and which users need a different path?”
For a first rollout, I would start with a pilot group that represents normal users, shared-device users if relevant, and a few support staff. That gives better feedback than testing only with admins.
Practical rollout / validation steps
A safe rollout pattern would look like this:
- Confirm passkey / FIDO2 is enabled for a small pilot group.
- Confirm the users are in a passkey profile that matches Microsoft’s current registration campaign behavior.
- Enable the registration campaign for the pilot group.
- Ask pilot users to sign in normally and document the registration prompt experience.
- Validate successful registration in the user’s authentication methods.
- Review sign-in logs and support tickets for friction before expanding.
- Expand by department, location, or user type instead of enabling everyone at once.
What I like about this change is that it supports a measured rollout. It does not force admins to make passkeys a big-bang project.
Watch-outs
The Microsoft note says the first rollout experience is optimized for users in a passkey profile without restrictions. If your passkey configuration uses restrictions, test carefully before assuming the same user experience.
Also, registration is not the same as enforcement. A campaign can help users register passkeys, but Conditional Access and authentication strength policies still decide where phishing-resistant authentication is required.
I would also prepare a short helpdesk note before expanding. Users may ask what a passkey is, whether they need a phone, whether Windows Hello is involved, and what to do if registration fails.