Quick start

Admin portal quick start

Use the Passkey Migration Helper admin portal to track enforcement progress and tune the helper experience for your tenant.

Before you begin

  • Have an account with Global Reader access for the tenant.
  • Grant admin consent for the Passkey Migration Helper admin portal app during sign up.
  • Know which Entra ID groups map to your Conditional Access policies.
  • Decide your preferred passkey type and whether to capture incompatible phones.
The admin portal uses the targeted rollout group to measure adoption and the enforcement group to track who is required to use passkeys.

Quick start (5 minutes)

  1. Open the admin portal and sign in with your Global Reader account.
  2. Use Switch Tenant if you manage more than one tenant.
  3. Go to Configuration and confirm the required Group IDs.
  4. Enable optional groups and user help settings for support flows.
  5. Set the experience defaults and completion behavior.
  6. Click Save, then review Enforcement overview for rollout progress.
Open admin portal

Admin portal tabs

Enforcement overview

Charts and tables for targeted vs enforced users, recent group activity, and quick links to your group settings.

User Chasing

Highlights action required users and those ready to enforce based on recent sign-in data.

Big Table

Detailed per-user readiness and device coverage. Uses Log Analytics when available.

Licensing

Snapshot of unique users who have signed into the helper experience.

Configuration

Manage group IDs, default experience settings, and messaging overrides.

Configuration items

All configuration lives under the Configuration tab and is saved per tenant.

Group IDs

  • Enforcement group IDRequired - Group used by Conditional Access to enforce passkeys.
  • Targeted rollout group IDRequired - Group tracked in the admin portal.
  • Device issue group ID - Users reporting incompatible devices.
  • Escalation group ID - Users who click the "Having issues" flow.
  • Exclude local device check group ID - Skip local device passkey checks for specific users.
  • Targeted exclusion group IDs - Comma-separated list of groups to exclude from tracking.

Experience defaults

  • Default passkey preference - Authenticator, security key, or synced passkey guidance.
  • Recent sign-in activity checks - Enable lookback-based warnings.
  • Auto-finish after inactivity - Show inactivity reminder and auto-finish timer.
  • Device issue reporting - Toggle the incompatible phone flow when configured.

User help customisations

  • Escalation email address - Mailto link for support escalation.
  • Help desk ticket URL - Link to your IT ticket system.
  • Overview video URL - Optional intro video (defaults provided).
  • Windows Hello help link - Override the Windows Hello guidance link.

Completion and next steps

  • Completion redirect URL - Where users go after finishing.
  • Completion message - Text shown on the finish screen.

Messaging overrides (beta)

  • Mobile double-check message
  • Windows double-check message
  • macOS double-check message
  • Desktop double-check message
  • Missing Windows device message
  • Missing macOS device message

Leave fields blank to keep the default messaging.

Optional data sources

If the Big Table shows a Log Analytics warning, ask support to add your workspace ID to the tenant configuration.

Questions? Reach us at passkey@a2g-cyber.com.