Anavem
EnglishFrancais
Anavem
Languagefr
How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

Deploy passkeys, FIDO2 security keys, and Windows Hello for Business in Microsoft Entra ID to eliminate passwords while blocking phishing attacks. Complete setup with Conditional Access enforcement.

April 26, 2026 15 min
mediumentra-id 9 steps 15 min

Why Deploy Phishing-Resistant Passwordless Authentication in Microsoft Entra ID?

Passwords remain the weakest link in organizational security, with 95% of successful cyberattacks involving compromised credentials. Traditional multi-factor authentication, while better than passwords alone, still falls victim to sophisticated phishing attacks that can intercept SMS codes or push notification approvals. Microsoft Entra ID's phishing-resistant passwordless authentication eliminates these vulnerabilities entirely.

As of April 2026, Microsoft has significantly expanded passwordless capabilities with the introduction of Microsoft Entra passkey on Windows (public preview launched March 2026), which enables device-bound passkeys in the Windows Hello container for both managed and unmanaged devices. Combined with existing options like FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys, organizations now have comprehensive tools to eliminate passwords while blocking phishing attacks.

What Authentication Methods Provide Phishing Resistance?

Phishing-resistant authentication methods use cryptographic proof that cannot be intercepted or replayed by attackers. Microsoft Entra ID supports several options: passkeys (including the new Windows passkey preview), FIDO2 security keys, Windows Hello for Business, platform credentials for macOS, and certificate-based authentication. Each method creates a unique cryptographic challenge-response that's bound to the specific service and cannot be used elsewhere, making phishing attacks impossible.

How Does This Improve Security and User Experience?

This deployment eliminates the most common attack vectors while actually improving user experience. Users no longer need to remember complex passwords, type lengthy codes, or approve push notifications that might be fraudulent. Instead, they authenticate using biometrics, PIN, or hardware tokens that provide both stronger security and faster sign-in. The result is a significant reduction in helpdesk password reset tickets and a measurable decrease in successful phishing attempts.

Implementation Guide

Full Procedure

01

Assess Current Environment and Plan Authentication Methods

Start by evaluating your organization's device landscape and user personas to select the right phishing-resistant methods. Microsoft Entra ID supports several options: passkeys (including the new Windows passkey preview), FIDO2 security keys, Windows Hello for Business, and certificate-based authentication.

Sign in to the Microsoft Entra admin center at entra.microsoft.com and navigate to Identity > Users > All users to review your user base. Document which users have:

  • Windows devices (Entra-joined, registered, or unmanaged)
  • Mobile devices with Microsoft Authenticator
  • Need for hardware security keys
  • Administrative privileges requiring high assurance

For new users without existing passwords, plan to use Temporary Access Pass (TAP) or Microsoft Entra Verified ID for bootstrapping their first phishing-resistant credential.

Pro tip: Start with a pilot group of 10-20 users from different departments to test the experience before organization-wide rollout.

Verification: Create a deployment matrix listing each user group and their recommended authentication method. This planning document will guide your implementation phases.

02

Enable Authentication Methods in Entra ID

Configure the authentication methods policy to enable phishing-resistant options. By default, FIDO2 security keys are disabled and must be manually enabled.

In the Microsoft Entra admin center, navigate to Protection > Authentication methods > Policies. You'll see a list of available methods:

# Check current authentication methods via PowerShell (optional)
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgPolicyAuthenticationMethodPolicy | Select-Object -ExpandProperty AuthenticationMethodConfigurations

Enable each method you plan to use:

  1. FIDO2 security keys: Click on "FIDO2 security keys" and set Enable to "Yes". Configure target users (start with your pilot group).
  2. Microsoft Authenticator: Ensure it's enabled and configure for passwordless phone sign-in.
  3. Windows Hello for Business: This is typically enabled through device management policies.

For the new Microsoft Entra passkey on Windows (public preview as of March 2026), opt-in via the Microsoft 365 message center notification that appeared in mid-March 2026.

Warning: Don't enable methods for all users immediately. Start with pilot groups to test the user experience and identify issues.

Verification: Run Get-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration to confirm your enabled methods show State: enabled.

03

Configure Temporary Access Pass for New Users

Set up Temporary Access Pass (TAP) to bootstrap new users without requiring an initial password. This is crucial for truly passwordless onboarding.

In the Entra admin center, go to Protection > Authentication methods > Policies > Temporary Access Pass. Configure these settings:

  • Enable: Yes
  • Target users: Select specific groups or all users
  • Minimum lifetime: 60 minutes
  • Maximum lifetime: 24 hours
  • Default lifetime: 8 hours
  • One-time use: Yes (recommended for security)

To create a TAP for a new user, navigate to Identity > Users > [Select User] > Authentication methods and click + Add authentication method:

{
  "@odata.type": "#microsoft.graph.temporaryAccessPassAuthenticationMethod",
  "startDateTime": "2026-04-26T09:00:00.000Z",
  "lifetimeInMinutes": 480,
  "isUsableOnce": true
}

Alternatively, use Microsoft Graph API to automate TAP creation:

# Create TAP via PowerShell
$userId = "user@contoso.com"
$tapParams = @{
    startDateTime = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
    lifetimeInMinutes = 480
    isUsableOnce = $true
}
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $userId -BodyParameter $tapParams
Pro tip: Integrate TAP creation into your user provisioning workflow using Microsoft Graph API to automatically generate access passes for new hires.

Verification: Create a test TAP and confirm you receive the temporary password. Test signing in with it at myaccount.microsoft.com.

04

Deploy FIDO2 Security Keys Using Microsoft Graph API

For organizations using hardware security keys, provision FIDO2 keys on behalf of users using the Microsoft Graph API. This centralizes key management and ensures proper registration.

First, obtain the necessary Graph API permissions. You'll need UserAuthenticationMethod.ReadWrite.All scope:

# Connect with required permissions
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"

# Provision FIDO2 key for a user
$userId = "user@contoso.com"
$fido2Params = @{
    displayName = "YubiKey 5 Series"
    model = "YubiKey 5C NFC"
    aaGuid = "cb69481e-8ff7-4039-93ec-0a2729a154a8"  # YubiKey AAGUID
}

# Create the FIDO2 method
New-MgUserAuthenticationFido2Method -UserId $userId -BodyParameter $fido2Params

For bulk provisioning, create a CSV file with user information and iterate through it:

# Bulk FIDO2 key provisioning
$users = Import-Csv "users.csv"  # Columns: UserPrincipalName, KeyModel, KeyAAGUID

foreach ($user in $users) {
    try {
        $fido2Params = @{
            displayName = "$($user.KeyModel) - $(Get-Date -Format 'yyyy-MM-dd')"
            model = $user.KeyModel
            aaGuid = $user.KeyAAGUID
        }
        
        New-MgUserAuthenticationFido2Method -UserId $user.UserPrincipalName -BodyParameter $fido2Params
        Write-Host "✓ Provisioned FIDO2 key for $($user.UserPrincipalName)" -ForegroundColor Green
    }
    catch {
        Write-Warning "Failed to provision key for $($user.UserPrincipalName): $($_.Exception.Message)"
    }
}

Common FIDO2 key AAGUIDs for reference:

ManufacturerModelAAGUID
YubicoYubiKey 5 Seriescb69481e-8ff7-4039-93ec-0a2729a154a8
FeitianePass FIDO77010bd7-212a-4fc9-b236-d2ca5e9d4084
SoloKeysSolo 253414c54-4f4b-4554-5357-4f524b53484f
Warning: Users still need to physically register their keys by inserting them and following the enrollment flow. API provisioning only creates the method entry in Entra ID.

Verification: Check provisioned keys with Get-MgUserAuthenticationFido2Method -UserId "user@contoso.com" and confirm the key appears in the user's authentication methods.

05

Configure Microsoft Entra Passkey on Windows (Preview)

Enable the new Microsoft Entra passkey on Windows feature, which became available in public preview in March 2026. This allows device-bound passkeys in the Windows Hello container for unmanaged Windows devices.

First, check if your tenant received the opt-in notification. In the Microsoft 365 admin center, go to Health > Message center and look for the "Microsoft Entra passkey on Windows" announcement from mid-March 2026.

To opt-in to the preview:

  1. Navigate to the Microsoft Entra admin center
  2. Go to Identity > Authentication methods > Policies
  3. Look for "Microsoft Entra passkey (preview)" in the methods list
  4. Enable it for your pilot group

Configure the policy settings:

{
  "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
  "state": "enabled",
  "includeTargets": [
    {
      "targetType": "group",
      "id": "pilot-group-id",
      "isRegistrationRequired": false
    }
  ],
  "featureSettings": {
    "displayAppInformationRequiredState": {
      "state": "enabled",
      "includeTarget": {
        "targetType": "group",
        "id": "pilot-group-id"
      }
    }
  }
}

Users in the pilot group can now register passkeys on their Windows devices:

  1. Navigate to myaccount.microsoft.com
  2. Go to Security info > Add sign-in method
  3. Select "Passkey in Windows Hello"
  4. Follow the prompts to create a device-bound passkey using face, fingerprint, or PIN
Pro tip: Passkeys are per-account per-device, so users with multiple work accounts or devices will need to register separately for each combination.

Verification: Test the passkey by signing out and back in. The user should see a Windows Hello prompt instead of a password field. Check registration status in Identity > Users > [User] > Authentication methods.

06

Create Conditional Access Policies for Phishing-Resistant MFA

Enforce phishing-resistant authentication through Conditional Access policies. This is where you'll require users to use only the strong authentication methods you've configured.

Navigate to Protection > Conditional Access > Policies and click + New policy. Create a policy with these settings:

Policy Name: "Require Phishing-Resistant MFA - Pilot Group"

Assignments:

  • Users: Select your pilot group
  • Cloud apps: All cloud apps
  • Conditions: Configure as needed (e.g., exclude trusted locations)

Access controls:

  • Grant: Grant access
  • Require authentication strength: Select "Phishing-resistant multifactor authentication"

Here's the policy configuration in JSON format for reference:

{
  "displayName": "Require Phishing-Resistant MFA - Pilot Group",
  "state": "enabledForReportingButNotEnforced",
  "conditions": {
    "users": {
      "includeGroups": ["pilot-group-id"],
      "excludeUsers": ["break-glass-account-id"]
    },
    "applications": {
      "includeApplications": ["All"]
    }
  },
  "grantControls": {
    "operator": "AND",
    "authenticationStrength": {
      "id": "00000000-0000-0000-0000-000000000004"  # Phishing-resistant MFA
    }
  }
}

For administrative users, create a separate, more restrictive policy:

# PowerShell to create admin-specific policy
$adminPolicy = @{
    displayName = "Admin - Require Phishing-Resistant MFA"
    state = "enabled"
    conditions = @{
        users = @{
            includeRoles = @(
                "62e90394-69f5-4237-9190-012177145e10",  # Global Administrator
                "194ae4cb-b126-40b2-bd5b-6091b380977d",  # Security Administrator
                "7be44c8a-adaf-4e2a-84d6-ab2649e08a13"   # Privileged Authentication Administrator
            )
            excludeUsers = @("break-glass-account-id")
        }
        applications = @{
            includeApplications = @("All")
        }
    }
    grantControls = @{
        operator = "AND"
        authenticationStrength = @{
            id = "00000000-0000-0000-0000-000000000004"
        }
    }
}

# Apply the policy
New-MgIdentityConditionalAccessPolicy -BodyParameter $adminPolicy
Warning: Always exclude your break-glass accounts from Conditional Access policies to prevent lockout. Test policies in "Report-only" mode first.

Verification: Set the policy to "Report-only" initially and monitor the Sign-ins log for policy evaluation results. Look for successful "Phishing-resistant multifactor authentication" requirements.

07

Test User Registration and Sign-in Experience

Validate the end-to-end user experience by testing registration and authentication flows with your pilot group. This step ensures everything works before broader deployment.

Test Scenario 1: New User with TAP

  1. Create a test user and generate a TAP
  2. Provide the TAP to the user
  3. Have them sign in at myaccount.microsoft.com using the TAP
  4. Guide them through registering their first phishing-resistant method

Test Scenario 2: Existing User Adding Passkey

  1. Have a pilot user sign in with their current method
  2. Navigate to Security info > Add sign-in method
  3. Register a passkey or FIDO2 key
  4. Test signing in with the new method

Monitor the authentication process using PowerShell:

# Check recent sign-ins for your test users
$testUsers = @("testuser1@contoso.com", "testuser2@contoso.com")

foreach ($user in $testUsers) {
    $signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$user'" -Top 10
    
    foreach ($signIn in $signIns) {
        Write-Host "User: $($signIn.UserPrincipalName)"
        Write-Host "Date: $($signIn.CreatedDateTime)"
        Write-Host "Auth Method: $($signIn.AuthenticationMethodsUsed)"
        Write-Host "Status: $($signIn.Status.ErrorCode)"
        Write-Host "---"
    }
}

Test different scenarios:

  • Windows Hello: Face recognition, fingerprint, and PIN
  • FIDO2 keys: USB insertion and touch verification
  • Passkeys: Cross-platform and platform authenticators
  • Conditional Access: Verify policies trigger correctly

Document any issues in a test matrix:

ScenarioExpected ResultActual ResultIssues
TAP RegistrationSuccessful passkey creation✓ SuccessNone
FIDO2 Sign-inPasswordless authentication✓ SuccessNone
CA Policy EnforcementBlocks weak authentication⚠ TestingPolicy delay
Pro tip: Create a feedback form for pilot users to report their experience. Common feedback includes preference for biometric methods over PIN-based authentication.

Verification: Confirm that users can sign in without passwords and that Conditional Access policies properly enforce phishing-resistant methods. Check the sign-in logs show "Authentication method: FIDO2 security key" or "Passkey" instead of password.

08

Monitor and Troubleshoot Authentication Events

Set up comprehensive monitoring to track authentication events, identify issues, and ensure security. Microsoft Entra ID provides detailed logs and reporting capabilities.

Configure authentication method activity monitoring in the Entra admin center:

  1. Navigate to Monitoring > Sign-ins
  2. Apply filters for authentication methods: "FIDO2 security key", "Windows Hello for Business", "Passkey"
  3. Set up alerts for failed authentication attempts

Use PowerShell to create custom monitoring scripts:

# Monitor phishing-resistant authentication usage
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-dd")
$endDate = (Get-Date).ToString("yyyy-MM-dd")

# Get sign-ins using phishing-resistant methods
$phishingResistantSignIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and createdDateTime le $endDate" | 
    Where-Object { 
        $_.AuthenticationMethodsUsed -match "FIDO2|WindowsHello|Passkey" 
    }

# Generate usage report
$report = $phishingResistantSignIns | Group-Object AuthenticationMethodsUsed | 
    Select-Object Name, Count, @{Name="Percentage"; Expression={[math]::Round(($_.Count / $phishingResistantSignIns.Count) * 100, 2)}}

$report | Format-Table -AutoSize

# Export to CSV for further analysis
$report | Export-Csv "PhishingResistantAuthReport.csv" -NoTypeInformation

Set up Microsoft Entra ID Protection for advanced threat detection:

  1. Navigate to Protection > Identity Protection
  2. Enable risk policies for user and sign-in risks
  3. Configure automated responses to high-risk events

Create a SIEM integration for centralized monitoring:

# Export authentication logs to SIEM
$logAnalyticsWorkspace = "your-workspace-id"
$sharedKey = "your-shared-key"

# Function to send logs to Azure Monitor
function Send-LogAnalyticsData {
    param(
        [string]$WorkspaceId,
        [string]$SharedKey,
        [object]$Body,
        [string]$LogType
    )
    
    # Implementation for sending logs to Azure Monitor
    # This would include proper authentication and data formatting
}

# Send authentication events
$authEvents = Get-MgAuditLogSignIn -Top 1000 | 
    Where-Object { $_.CreatedDateTime -gt (Get-Date).AddHours(-1) }

Send-LogAnalyticsData -WorkspaceId $logAnalyticsWorkspace -SharedKey $sharedKey -Body $authEvents -LogType "EntraAuthEvents"

Common troubleshooting scenarios:

  • FIDO2 key not recognized: Check browser compatibility and key firmware
  • Windows Hello enrollment fails: Verify TPM 2.0 and biometric hardware
  • Passkey registration blocked: Check Conditional Access policies and browser settings
  • Cross-device sync issues: Remember that Entra passkeys are device-bound (no sync)
Warning: Monitor for users falling back to legacy authentication methods. This could indicate configuration issues or user training needs.

Verification: Run the monitoring script daily and confirm you're seeing consistent usage of phishing-resistant methods. Set up alerts for any authentication failures or policy violations.

09

Scale Deployment Organization-Wide

After successful pilot testing, expand phishing-resistant authentication to your entire organization. This requires careful planning and phased rollout to minimize disruption.

Phase 1: Expand to Department Groups

Update your Conditional Access policies to include larger user groups:

# Update existing policy to include more users
$policyId = "your-pilot-policy-id"
$policy = Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policyId

# Add additional groups
$updatedConditions = $policy.Conditions
$updatedConditions.Users.IncludeGroups += @(
    "department-it-group-id",
    "department-finance-group-id",
    "department-hr-group-id"
)

# Update the policy
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policyId -Conditions $updatedConditions

Phase 2: Bulk User Provisioning

Automate the provisioning process for large numbers of users:

# Bulk TAP creation for new user onboarding
$newUsers = Import-Csv "new_users.csv"  # UserPrincipalName, Department, Manager

foreach ($user in $newUsers) {
    try {
        # Create user account
        $userParams = @{
            displayName = $user.DisplayName
            userPrincipalName = $user.UserPrincipalName
            mailNickname = $user.UserPrincipalName.Split('@')[0]
            accountEnabled = $true
            passwordProfile = @{
                forceChangePasswordNextSignIn = $false
                password = "TempPass123!"  # Will be replaced by TAP
            }
        }
        
        $newUser = New-MgUser -BodyParameter $userParams
        
        # Create TAP for passwordless onboarding
        $tapParams = @{
            startDateTime = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
            lifetimeInMinutes = 1440  # 24 hours
            isUsableOnce = $true
        }
        
        $tap = New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $newUser.Id -BodyParameter $tapParams
        
        # Send TAP to user via secure channel (email, SMS, etc.)
        Send-WelcomeEmail -UserEmail $user.UserPrincipalName -TAP $tap.TemporaryAccessPass
        
        Write-Host "✓ Created user and TAP for $($user.UserPrincipalName)" -ForegroundColor Green
    }
    catch {
        Write-Warning "Failed to create user $($user.UserPrincipalName): $($_.Exception.Message)"
    }
}

Phase 3: Legacy Authentication Cleanup

Gradually disable legacy authentication protocols:

  1. Navigate to Protection > Conditional Access > Policies
  2. Create a new policy: "Block Legacy Authentication"
  3. Target all users except service accounts
  4. Block access for legacy authentication clients
{
  "displayName": "Block Legacy Authentication",
  "state": "enabledForReportingButNotEnforced",
  "conditions": {
    "users": {
      "includeUsers": ["All"],
      "excludeUsers": ["service-account-1", "service-account-2"]
    },
    "applications": {
      "includeApplications": ["All"]
    },
    "clientAppTypes": [
      "exchangeActiveSync",
      "other"
    ]
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["block"]
  }
}

Phase 4: Communication and Training

Develop user communication materials:

  • Email templates explaining the new authentication methods
  • Video tutorials for registering passkeys and FIDO2 keys
  • IT helpdesk scripts for common issues
  • Manager talking points for team meetings
Pro tip: Create a dedicated SharePoint site or Teams channel for passwordless authentication resources. Include FAQs, video guides, and a feedback form.

Verification: Monitor adoption rates using the authentication methods report in Entra admin center. Aim for 90%+ adoption of phishing-resistant methods within 90 days. Track helpdesk tickets to identify training gaps.

Frequently Asked Questions

What licenses are required for phishing-resistant passwordless authentication in Microsoft Entra ID?+
Basic registration and sign-in with phishing-resistant methods requires no additional licensing beyond your Microsoft Entra ID tenant. However, Microsoft Entra ID P1 is strongly recommended for Conditional Access enforcement, authentication method reports, and comprehensive deployment capabilities. P1 also enables Identity Protection features that enhance security monitoring and automated threat response.
Can users sync passkeys across devices in Microsoft Entra ID?+
As of April 2026, Microsoft Entra passkeys on Windows are device-bound and cannot sync across devices. Each user must register a separate passkey for each device and account combination. This design enhances security by preventing credential theft, but requires users to register on each device they use. Microsoft has indicated that synced passkeys are planned for future releases.
How do I handle new user onboarding without passwords?+
Use Temporary Access Pass (TAP) or Microsoft Entra Verified ID for truly passwordless onboarding. Create a TAP through the admin center or Microsoft Graph API, provide it to the new user, and they can use it to sign in and register their first phishing-resistant credential. TAP can be configured for one-time use with customizable lifetime from 60 minutes to 24 hours.
What happens if a user loses their FIDO2 security key or device with passkeys?+
Administrators can remove lost authentication methods from the user's profile in Microsoft Entra admin center under Identity > Users > [User] > Authentication methods. Provide the user with a new TAP to register a replacement method. For high-security environments, consider requiring users to register multiple authentication methods as backup options, such as both a FIDO2 key and Windows Hello.
Are there any browser compatibility issues with phishing-resistant authentication?+
Modern browsers including Chrome 67+, Firefox 60+, Edge 18+, and Safari 14+ support FIDO2 and passkeys. The new Microsoft Entra passkey on Windows works with any browser that supports the WebAuthn standard. Some older browsers or specific enterprise configurations may require updates. Test thoroughly with your organization's approved browser versions before full deployment.
Tags
#entra-id#passwordless#phishing-resistant

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID
tutorial
Cybersecurity

How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

Deep Dive
How to Configure Maintenance Windows in Microsoft Intune for Update Control
tutorial
Cloud Computing

How to Configure Maintenance Windows in Microsoft Intune for Update Control

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account