Plan and enforce Entra ID passkeys with ease

The Passkey Deployment Helper simplifies your IT department's rollout plan to enforce passkeys.

Request a Trial

What are Passkeys?

Passkeys are the next generation of authentication. They replace push MFA, 2FA codes, SMS and passwords with a faster, easier, and more secure alternative. They follow FIDO2 standards, and are a form of 'phish-resistant MFA', protecting against modern attacks where traditional MFA falls short.

{{ passkey.title }}

Registering a passkey doesn’t make an account phishing-resistant!

Registering a passkey in Entra ID doesn’t automatically secure the account — it only adds a new sign-in option. The account can still be accessed with weaker methods unless those are disabled.

Attacker-in-the-Middle (AitM) downgrade attacks are the next big phishing threat. Sitting between the user and Microsoft, and attacker is able to request Microsoft to use an insecure MFA method (e.g. SMS or number matching).

Identities need to be in scope of a Conditional Access Policy to enforce the use of passkeys and prevent AitM-based phishing attacks. Applying the policy to an identity is likely to log out the user and may prevent them from signing in if they have not registered and tested passkeys correctly.

This raises the question: How and when do you enforce passkeys on your users? Do you enforce team by team or region by region? What if the user is in the middle of a Teams meeting and they will be signed out?

Self-service with the passkey deployment helper is the answer!

A one-stop app to guide users through the entire process, from registering to enforcing. It even helps IT teams monitor and plan the deployment. User features include:


  • Check if the user is ready: Which methods are registered to the user, with guidance against particular methods.
  • Record MS Authenticator phone incompatibility: With (optional) automated exclusion from the CA policy.
  • Test passkey sign-in: Without enforcement, allows user to validate their device/passkey combo works.
  • Flag issues for IT support: Follow up with user, and configure (optional) automated pausing of enforcement.
  • Custom organisation specific URLs: For guidance docs and raising support requests.
  • Single-sign-on (SSO): As standard, as it should be.

Simple for End-Users

The user-facing application provides a clear, customisable, step-by-step process. It checks their current setup, guides them if needed, and lets them enforce passkeys with a single click when they are ready.

User SPA with app passkeys confirmed.

Powerful for Administrators

The admin portal gives you a complete overview of the rollout progress. Track adoption rates, see which users have completed the process, and identify users who may need assistance.

Admin dashboard showing passkey adoption graphs and user progress.
Histogram showing an average time of 4 minutes for users to register and enforce a passkey.
Admin audit log showing recent changes to user enforcement groups. Users that need action with button to email them.

Components of the Solution

{{ feature.title }}

{{ feature.description }}

Ready to try?

We're in public preview while we finalise pricing, so now is the perfect time to evaluate the Passkey Deployment Helper. Get in touch and we'll provision a free trial instance for your tenant.

Contact to request a free trial Try demo tenant

Want a quick look first? The demo tenant offers a cut-down experience of the full app.