πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since July 5th 2026, 11:17 PM PDT

Report generated on July 6th 2026, 11:17 PM PDT

πŸ“Š Summary

27
Total Commits
5
New Files
14
Modified Files
2
Deleted Files
8
Contributors

πŸ†• New Documentation Files

+729 lines added
Commit: Migration Hub: Amazon Cognito migration to Entra ID external (#13677)
+97 lines added
Commit: Split passkey docs (1/5): synced passkey register/sign-in + remove mobile article (#13773)
+58 lines added
Commit: Split passkey docs (4/5): FIDO2 security key (enable/register/sign-in) (#13776)
+54 lines added
Commit: Split passkey docs (3/5): Microsoft Entra passkey on Windows (enable/register/sign-in) (#13775)
+35 lines added
Commit: Split passkey docs (3/5): Microsoft Entra passkey on Windows (enable/register/sign-in) (#13775)

πŸ“ Modified Documentation Files

+148 / -56 lines changed
Commit: Split passkey docs (2/5): Passkey in Microsoft Authenticator (enable/register/sign-in) (#13774)
Changes:
Before
After
---
title: Enable passkeys in Authenticator for Microsoft Entra ID
description: Learn about how to enable passkeys in Microsoft Authenticator for Microsoft Entra ID.
ms.topic: how-to
ms.date: 06/05/2026
ms.reviewer: mjsantani
ms.custom: sfi-ga-nochange, sfi-image-nochange
# Customer intent: As a Microsoft Entra administrator, I want to learn how to enable and enforce passkeys in Microsoft Authenticator sign-in for users.
---
# Enable passkeys in Authenticator
 
This article lists steps to enable and enforce use of passkeys in Authenticator for Microsoft Entra ID. First, you update the Authentication methods policy to allow users to register and sign in with passkeys in Authenticator. Then you can use Conditional Access authentication strengths policies to enforce passkey sign-in when users access a sensitive resource.
 
## Requirements
 
- [Microsoft Entra multifactor authentication (MFA)](howto-mfa-getstarted.md).
- Android 14 and later or iOS 17 and later.
- For cross-device registration and authentication:
- Make sure that Bluetooth and an active internet connection are enabled on both devices.
> [!NOTE]
---
title: Enable and support passkeys in Authenticator for Microsoft Entra ID
description: Learn about Authenticator-specific requirements, configuration, and troubleshooting for passkeys in Microsoft Authenticator for Microsoft Entra ID.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: mjsantani, calui, tilarso
ms.collection: M365-identity-device-management
ms.custom: sfi-ga-nochange, sfi-image-nochange, msecd-doc-authoring-1013
ai-usage: ai-assisted
# Customer intent: As a Microsoft Entra administrator, I want to learn about Authenticator-specific requirements for passkeys so I can enable and support them for my users.
---
# Enable passkeys in Authenticator
 
This article covers Authenticator-specific requirements and configuration for passkeys in Microsoft Authenticator for Microsoft Entra ID.
 
Before you follow the steps in this article, enable passkeys and create a passkey profile. For steps, see [Enable passkeys (FIDO2) in Microsoft Entra ID](how-to-authentication-passkeys-fido2.md).
 
## Prerequisites for passkeys in Authenticator
 
- An account with at least [Authentication Policy Administrator](/entra/identity/role-based-access-control/permissions-reference#authentication-policy-administrator) permissions to configure authentication methods.
+121 / -71 lines changed
Commit: Split passkey docs (2/5): Passkey in Microsoft Authenticator (enable/register/sign-in) (#13774)
Changes:
Before
After
---
title: Register passkeys in Authenticator on Android and iOS devices
description: Registration and management of passkeys with Microsoft Authenticator on Android and iOS devices.
ms.topic: how-to
ms.date: 06/05/2026
ms.reviewer: hanki77, tilarso
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange
# Customer intent: As an identity administrator, I want to understand how users can register passkeys in Microsoft Authenticator.
---
# Register passkeys in Authenticator on Android or iOS devices
 
This article shows how to register a passkey by using Authenticator on your iOS or Android device by directly signing in to the Authenticator app or by using [Security info](https://aka.ms/mysecurityinfo). For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native apps, web browsers, and operating systems, see [Support for FIDO2 authentication with Microsoft Entra ID](concept-fido2-compatibility.md).
 
*The easiest and fastest way to add a passkey is to add it directly in the Authenticator app.*
 
Alternatively, you can add a passkey from your mobile device browser or through cross-device registration by using another device, such as a laptop. Your mobile device needs to run iOS version 17 or Android version 14, or later.
 
| Scenario | iOS | Android |
|------------------|---------------------------------|----------------|
---
title: Register passkeys in Authenticator on Android and iOS devices
description: Learn how to register passkeys in Microsoft Authenticator on Android and iOS. Sign in to the app, use Security info, or register cross-device.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: hanki77, tilarso
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange, msecd-doc-authoring-1013
ai-usage: ai-assisted
# Customer intent: As an identity administrator, I want to understand how users can register passkeys in Microsoft Authenticator.
---
# Register passkeys in Authenticator on Android and iOS devices
 
This article shows how to register a passkey in Microsoft Authenticator on your iOS or Android device.
 
## [**iOS**](#tab/iOS)
 
You can register by signing in to the Authenticator app directly, by using [Security info](https://aka.ms/mysecurityinfo), or from your mobile device browser or through cross-device registration by using another device, such as a laptop. Your mobile device needs to run iOS version 17 or later.
 
- [Use Authenticator (iOS)](#use-authenticator-ios)
+99 / -72 lines changed
Commit: Revise AD group enforcement documentation (#13637)
Changes:
Before
After
ms.subservice: hybrid-cloud-sync
ms.topic: how-to
ms.custom: msecd-doc-authoring-1013
ms.date: 06/09/2026
ai-usage: ai-assisted
 
#customer intent: As a hybrid identity administrator, I want to restrict modifications of synced Active Directory groups to the Microsoft Entra Cloud Sync provisioning service so that on-premises changes can't bypass Microsoft Entra governance.
 
# Configure AD group enforcement in Microsoft Entra Cloud Sync (preview)
 
Microsoft Entra Cloud Sync can provision cloud groups to on-premises Active Directory (AD). AD group enforcement lets you designate specific synced groups so that modifications can only be performed through the Microsoft Entra provisioning service. This alignment between Microsoft Entra ID and AD groups removes the need for a separate reconciliation process and helps ensure that all access is granted through Microsoft Entra.
 
> [!IMPORTANT]
> AD group enforcement is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
## Prerequisites
 
| Prerequisite | Details |
|---|---|
| Domain controller operating system | Windows Server 2022 or Windows Server 2025. |
ms.subservice: hybrid-cloud-sync
ms.topic: how-to
ms.custom: msecd-doc-authoring-1013
ms.date: 07/06/2026
ai-usage: ai-assisted
 
#customer intent: As a hybrid identity administrator, I want to restrict modifications of synced Active Directory groups to the Microsoft Entra Cloud Sync provisioning service so that on-premises changes can't bypass Microsoft Entra governance.
 
# Configure AD group enforcement in Microsoft Entra Cloud Sync (preview)
 
Microsoft Entra Cloud Sync can provision cloud groups to on-premises Active Directory (AD). AD group enforcement lets you designate specific synced groups so that modifications can only be performed through the Microsoft Entra provisioning service. This alignment between Microsoft Entra ID and AD groups reduces the need for a separate reconciliation process and helps ensure that all access is granted through Microsoft Entra.
 
> [!IMPORTANT]
> AD group enforcement is currently in **PREVIEW**. The preview spans two parts that you configure together: the **Active Directory enforcement engine** on your domain controllers (the code ships in a cumulative Windows Server update but is disabled by default and turned on by a Group Policy package during the preview) and the **Microsoft Entra Cloud Sync** configuration that marks groups for enforcement. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
## How AD group enforcement works
 
Enforcement is evaluated by Active Directory **at the point of an LDAP write, on whichever domain controller processes that write**. When a change targets a group that's marked for enforcement, the domain controller checks whether the calling identity is authorized by the policy. If it isn't, the change is blocked (Enforced mode) or logged (Audit mode) before any *drift* (a divergence between the group's state in Microsoft Entra and its state in AD) can occur.
 
Two pieces work together:
+107 / -36 lines changed
Commit: Split passkey docs (4/5): FIDO2 security key (enable/register/sign-in) (#13776)
Changes:
Before
After
---
title: FIDO2 security key sign-in to Windows
description: Learn how to enable passwordless security key sign-in to Windows with Microsoft Entra ID using FIDO2 security keys.
ms.topic: how-to
ms.date: 03/04/2025
ms.reviewer: librown, aakapo
---
# Enable FIDO2 security key sign-in to Windows 10 and 11 devices with Microsoft Entra ID
 
This document focuses on enabling FIDO2 security key based passwordless authentication with Windows 10 and 11 devices. After completing the steps in this article, you're able to sign in to both your Microsoft Entra ID and Microsoft Entra hybrid joined Windows devices with your Microsoft Entra account using a FIDO2 security key.
 
## Requirements
 
| Device Type | Microsoft Entra joined | Microsoft Entra hybrid joined |
| --- | --- | --- |
| [Microsoft Entra multifactor authentication](howto-mfa-getstarted.md) | X | X |
| [Combined security information registration](concept-registration-mfa-sspr-combined.md) | X | X |
| Compatible [FIDO2 security keys](concept-authentication-passkeys-fido2.md) | X | X |
| WebAuthN requires Windows 10 version 1903 or higher | X | X |
| [Microsoft Entra joined devices](~/identity/devices/concept-directory-join.md) require Windows 10 version 1909 or higher | X | |
---
title: FIDO2 security key sign-in to Windows
description: Learn how to enable passwordless security key sign-in to Windows with Microsoft Entra ID using FIDO2 security keys.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: librown, aakapo
ms.custom: msecd-doc-authoring-1013
ai-usage: ai-assisted
---
# Enable FIDO2 security key sign-in to Windows 10 and 11 devices with Microsoft Entra ID
 
This article focuses on enabling FIDO2 security key-based passwordless authentication with Windows 10 and 11 devices. After completing the steps in this article, you can sign in to both your Microsoft Entra ID and Microsoft Entra hybrid joined Windows devices with your Microsoft Entra account using a FIDO2 security key.
 
## Prerequisites for FIDO2 security keys
 
- An account with at least [Authentication Policy Administrator](/entra/identity/role-based-access-control/permissions-reference#authentication-policy-administrator) permissions to configure authentication methods.
- You need to [enable passkey sign-in](how-to-authentication-passkeys-fido2.md#enable-passkey-profiles) in the **Passkey (FIDO2)** policy in **Authentication methods** in the Microsoft Entra admin center.
- Devices need to meet the following requirements:
 
| Device Type | Microsoft Entra joined | Microsoft Entra hybrid joined |
+72 / -61 lines changed
Commit: Split passkey docs (3/5): Microsoft Entra passkey on Windows (enable/register/sign-in) (#13775)
Changes:
Before
After
---
title: Enable Microsoft Entra passkey on Windows devices
description: Learn how to enable Microsoft Entra passkey on Windows devices for phishing-resistant multifactor authentication with work or school accounts.
#customer intent: As an administrator, I want to enable Microsoft Entra passkeys so users with work and school accounts can sign in by using phishing-resistant multifactor authentication.
ms.reviewer: kimhana
ms.date: 02/18/2026
ms.topic: how-to
ms.service: entra-id
ms.subservice: authentication
ms.collection: msec-ai-copilot
ms.custom: msecd-doc-authoring-106
ai-usage: ai-assisted
---
 
# Enable Microsoft Entra passkey on Windows
 
This article describes Microsoft Entra passkey on Windows. It covers how they work, how they differ from Windows Hello for Business, and how to configure passkey profiles to allow Windows Hello as a passkey provider.
 
## Overview
 
---
title: Enable Microsoft Entra passkey on Windows (preview)
description: Learn how Microsoft Entra passkey on Windows enables phishing-resistant authentication with work or school accounts by using Windows Hello as a FIDO2 passkey provider.
#customer intent: As an administrator, I want to understand Microsoft Entra passkeys on Windows so users with work and school accounts can sign in by using phishing-resistant multifactor authentication.
author: hanki71
ms.author: justinha
ms.date: 07/05/2026
ms.topic: how-to
ms.service: entra-id
ms.subservice: authentication
ms.collection: msec-ai-copilot
ms.custom: msecd-doc-authoring-1013
ai-usage: ai-assisted
---
 
# Enable Microsoft Entra passkey on Windows (preview)
 
This article describes Microsoft Entra passkey on Windows, how it works, and how it differs from Windows Hello for Business.
 
To configure passkey profiles that allow Windows Hello as a FIDO2 passkey provider, see [Configure a profile for Microsoft Entra passkey on Windows](#configure-a-profile-for-microsoft-entra-passkey-on-windows).
+55 / -41 lines changed
Commit: Split passkey docs (1/5): synced passkey register/sign-in + remove mobile article (#13773)
Changes:
Before
After
---
title: Sign in with a passkey (FIDO2) for your work or school account
description: Learn how to sign in with a passkey (FIDO2) for your work or school account.
 
services: active-directory
ms.topic: how-to
ms.date: 11/10/2025
ms.reviewer: kimhana
ms.collection: M365-identity-device-management
# Customer intent: As an identity administrator, I want to understand how users will sign in with a security key.
 
---
# Sign in with a passkey (FIDO2) for your work or school account
 
This article covers different ways that users can sign in to Microsoft Entra ID with a passkey.
 
- [Sign in with a passkey (FIDO2) saved on the same device](#sign-in-with-a-passkey-fido2-saved-on-the-same-device)
- [Sign in with a passkey (FIDO2) saved on another device](#sign-in-with-a-passkey-fido2-saved-on-another-device)
- [Sign in with a passkey (FIDO2) saved on a security key](#sign-in-with-a-passkey-fido2-saved-on-a-security-key)
 
---
title: Sign in with a synced passkey (FIDO2)
description: Learn how to sign in to Microsoft Entra ID with a synced passkey (FIDO2) for your work or school account by using a browser on Windows, iOS, or Android.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: kimhana
ms.collection: M365-identity-device-management
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
# Customer intent: As an identity administrator, I want to understand how users will sign in with a passkey.
 
---
# Sign in with a synced passkey (FIDO2)
 
This article describes how to sign in to your work or school account with a synced passkey.
 
Your passkey can be synced to the same device where you want to sign in, or it can be synced to another device.
 
- [Use a passkey from the same device](#use-a-passkey-from-the-same-device)
- [Use a passkey from another device](#use-a-passkey-from-another-device)
+56 / -32 lines changed
Commit: Split passkey docs (1/5): synced passkey register/sign-in + remove mobile article (#13773)
Changes:
Before
After
---
title: Register a Passkey (FIDO2)
description: Registration and management of a passkey (FIDO2).
 
services: active-directory
ms.topic: how-to
ms.date: 11/10/2025
ms.reviewer: kimhana
ms.collection: M365-identity-device-management
# Customer intent: As an identity administrator, I want to understand how users will register a passkey using a browser or with a security key.
 
---
# Register a passkey (FIDO2)
 
This article shows how users can register a passkey (FIDO2) by using the **Passkey** flow. For registration on a mobile device, see [Register a passkey using a mobile device](how-to-register-passkey-mobile.md).
 
>[!NOTE]
>Looking to provide passkeys (FIDO2) on behalf of users? Use our [APIs](https://aka.ms/passkeyprovision).
 
For more information about enabling passkeys in Microsoft Authenticator, see [How to enable passkeys in Microsoft Authenticator](how-to-enable-authenticator-passkey.md).
---
title: Register a synced passkey (FIDO2)
description: Learn how to register a synced passkey (FIDO2) as an authentication method on Windows, iOS, or Android by using a browser for phishing-resistant sign-in.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: kimhana, calui, tilarso
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange, msecd-doc-authoring-1013
ai-usage: ai-assisted
# Customer intent: As an identity administrator, I want to understand how users will register a passkey using a browser on Windows, iOS, or Android.
 
---
# Register a synced passkey (FIDO2)
 
This article shows how users can register a synced passkey (FIDO2) by using the **Passkey** flow. A synced passkey is stored in a passkey provider (such as iCloud Keychain or Google Password Manager) and syncs across the user's devices. For an overview of synced passkeys, see [Synced passkeys in Microsoft Entra ID](how-to-synced-passkeys.md).
 
> [!NOTE]
> Looking to provide passkeys (FIDO2) on behalf of users? Use our [APIs](https://aka.ms/passkeyprovision).
 
## Prerequisites
+29 / -41 lines changed
Commit: Split passkey docs (4/5): FIDO2 security key (enable/register/sign-in) (#13776)
Changes:
Before
After
---
title: Register a passkey (FIDO2) with a FIDO2 security key
description: User registration of a passkey (FIDO2) with a FIDO2 security key.
 
services: active-directory
ms.topic: how-to
ms.date: 10/28/2025
ms.reviewer: kimhana
ms.collection: M365-identity-device-management
# Customer intent: As an identity administrator, I want to understand...
 
---
# Register a passkey (FIDO2) with a FIDO2 security key
 
This article shows how to register a passkey as an authentication method by using a FIDO2 security key.
 
## First-time registration
 
1. First-time users need to register a passkey (FIDO2) as an authentication method by navigating and completing the process from a browser at [Security info](https://mysignins.microsoft.com/security-info).
1. TapΒ **Add sign-in method**Β >Β **Choose a method**Β >Β **Passkey** >Β **Add**.
---
title: Register a passkey with a FIDO2 security key
description: Learn how to register a passkey with a FIDO2 security key in Microsoft Entra ID. Use Security info or a prompted sign-in flow.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: kimhana
ms.collection: M365-identity-device-management
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
# Customer intent: As an identity administrator, I want to understand how users register a passkey with a FIDO2 security key.
 
---
# Register a passkey with a FIDO2 security key
 
FIDO2 security keys are device-bound passkeys stored on a physical authenticator. The private key never leaves the security key, which provides strong protection against remote phishing attacks. Security keys are recommended for highly regulated industries or users with elevated privileges.
 
This article shows how to register a passkey as an authentication method by using a FIDO2 security key. After registration, you can [sign in with the security key](how-to-security-key-sign-in.md).
 
## First-time registration
 
+22 / -23 lines changed
Commit: Split passkey docs (2/5): Passkey in Microsoft Authenticator (enable/register/sign-in) (#13774)
Changes:
Before
After
---
title: Sign in with passkeys in Authenticator for Android and iOS devices
description: Learn how to sign in with passkeys for Android and iOS devices with Microsoft Authenticator.
 
services: active-directory
ms.topic: how-to
ms.date: 10/14/2025
ms.reviewer: mjsantani, calui
ms.collection: M365-identity-device-management
---
 
# Sign in with passkeys in Authenticator for Android and iOS devices
 
This article explains the sign-in experience when you use passkeys in Authenticator with Microsoft Entra ID. For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native applications, web browsers, and operating systems, see [Support for FIDO2 authentication with Microsoft Entra ID](concept-fido2-compatibility.md).
 
| Scenario | iOS | Android |
|------------------|---------------------------------|----------------|
| Same-device authentication in a browser | &#x2705; | &#x2705;<sup>1</sup> |
| Same-device authentication in native Microsoft applications | &#x2705; | &#x2705; |
| Cross-device authentication | &#x2705; | &#x2705; |
---
title: Sign in with passkeys in Authenticator for Android and iOS devices
description: Learn how to sign in with passkeys in Microsoft Authenticator for Android and iOS. Use same-device, cross-device, or native app authentication.
ms.topic: how-to
ms.date: 07/05/2026
ms.reviewer: mjsantani, calui
ms.collection: M365-identity-device-management
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
# Customer intent: As a user, I want to sign in with a passkey in Microsoft Authenticator so that I can authenticate securely without a password.
---
 
# Sign in with passkeys in Authenticator for Android and iOS devices
 
This article explains the sign-in experience when you use passkeys in Authenticator with Microsoft Entra ID. For more information about the availability of Microsoft Entra ID passkey (FIDO2) authentication across native applications, web browsers, and operating systems, see [Support for FIDO2 authentication with Microsoft Entra ID](concept-fido2-compatibility.md).
 
## [**iOS**](#tab/iOS)
 
To sign in with a passkey in Authenticator, your iOS device needs to run iOS 17 or later.
 
Modified by ArvindHarinder1 on Jul 6, 2026 5:23 PM
πŸ“– View on learn.microsoft.com
+5 / -2 lines changed
Commit: Update docs/identity/saas-apps/snowflake-provisioning-tutorial.md
Changes:
Before
After
 
With Privileged Identity Management (PIM) for Groups, you can provide just-in-time access to groups in Snowflake and reduce the number of users who have permanent access to privileged groups in Snowflake.
 
**Configure your enterprise application for SSO and provisioning**
1. Add Snowflake to your tenant, configure it for provisioning as described in the article above, and start provisioning.
1. Configure [single sign-on](snowflake-tutorial.md) for Snowflake.
1. Create a [group](/entra/fundamentals/how-to-manage-groups) that provides all users access to the application.
1. Assign the group to the Snowflake application.
 
 
 
 
With Privileged Identity Management (PIM) for Groups, you can provide just-in-time access to groups in Snowflake and reduce the number of users who have permanent access to privileged groups in Snowflake.
 
**Configure your enterprise application for single sign-on (SSO) and provisioning**
 
To set up persistent, non-admin access in Snowflake, complete these steps:
 
1. Add Snowflake to your tenant, configure it for provisioning as described in the previous steps of this tutorial, and start provisioning.
1. Configure [single sign-on](snowflake-tutorial.md) for Snowflake.
1. Create a [group](/entra/fundamentals/how-to-manage-groups) that provides all users access to the application.
1. Assign the group to the Snowflake application.
Modified by learn-build-service-prod[bot] on Jul 6, 2026 4:23 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/entra-docs (branch main) (#13778)
Changes:
Before
After
description: Learn about mandatory multifactor authentication (MFA) enforcement for Azure, Microsoft 365, and other admin portals, and how to prepare your tenant.
ms.topic: concept-article
ms.date: 04/03/2026
ms.reviewer: shahjoy
ms.custom: sfi-ga-nochange, msecd-doc-authoring-106
# Customer intent: As an identity administrator, I want to plan for mandatory MFA for users who sign in to Azure portal so that my organization is prepared before enforcement begins.
---
 
Conditional Access requires a Microsoft Entra ID P1 or P2 license. If you can't use Conditional Access, enable [security defaults](~/fundamentals/security-defaults.md).
 
You can self-enforce MFA by using built-in definitions in Azure Policy. To learn more and follow a step-by-step overview to apply these policy assignments in your environment, see [Tutorial: Apply MFA self-enforcement through Azure Policy](/azure/governance/policy/tutorials/mfa-enforcement).
 
For the best compatibility experience, ensure users in your tenant are using Azure CLI version 2.76 and Azure PowerShell version 14.3 or later. Otherwise, you can expect to see error messages as explained in these topics:
 
description: Learn about mandatory multifactor authentication (MFA) enforcement for Azure, Microsoft 365, and other admin portals, and how to prepare your tenant.
ms.topic: concept-article
ms.date: 04/03/2026
ms.reviewer: shahjoy, nehakulkarni
ms.custom: sfi-ga-nochange, msecd-doc-authoring-106
# Customer intent: As an identity administrator, I want to plan for mandatory MFA for users who sign in to Azure portal so that my organization is prepared before enforcement begins.
---
 
Conditional Access requires a Microsoft Entra ID P1 or P2 license. If you can't use Conditional Access, enable [security defaults](~/fundamentals/security-defaults.md).
 
You can self-enforce MFA by using built-in definitions in Azure Policy. To learn more and follow a step-by-step overview to apply these policy assignments in your environment, see [Tutorial: Apply MFA self-enforcement through Azure Policy](/azure/governance/policy/tutorials/mfa-enforcement). Azure Policy supports both the `Audit` effect (which reports noncompliance in policy compliance results) and the `Deny` effect, which blocks noncompliant requests.
 
For the best compatibility experience, ensure users in your tenant are using Azure CLI version 2.76 and Azure PowerShell version 14.3 or later. Otherwise, you can expect to see error messages as explained in these topics:
 
+1 / -1 lines changed
Commit: Split passkey docs (1/5): synced passkey register/sign-in + remove mobile article (#13773)
Changes:
Before
After
* [Federated MFA](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa)
* [External Auth Methods](../authentication/how-to-authentication-external-method-manage.md)
* [Microsoft Intune Company Portal app version 5.2408.0](/mem/intune/apps/apps-company-portal-macos) or later installed. This version is required before users are targeted for PSSO.
* (Highly recommended) Users are advised to [register a passkey on their mobile devices.](../authentication/how-to-register-passkey-mobile.md)
 
 
## Authentication Method Selection
* [Federated MFA](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa)
* [External Auth Methods](../authentication/how-to-authentication-external-method-manage.md)
* [Microsoft Intune Company Portal app version 5.2408.0](/mem/intune/apps/apps-company-portal-macos) or later installed. This version is required before users are targeted for PSSO.
* (Highly recommended) Users are advised to [register a passkey on their mobile devices.](../authentication/how-to-register-passkey.md)
 
 
## Authentication Method Selection
Modified by learn-build-service-prod[bot] on Jul 6, 2026 4:23 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/entra-docs (branch main) (#13778)
Changes:
Before
After
 
| **Term** | **Description** |
| :--- | --- |
| **broker** | An identity broker is a service that acts as an intermediary between an identity providers (IdPs) and service providers (SPs), simplifying authentication and authorization . Web Account Manager is an example of an identity broker.|
| **Cloud Authentication Provider (CloudAP)**| CloudAP is the modern authentication provider for Windows sign in, that verifies users logging to a Windows 10 or newer device. CloudAP provides a plugin framework that identity providers can build on to enable authentication to Windows using that identity provider's credentials. |
| **Web Account Manager (WAM)**| WAM is the default token broker on Windows 10 or newer devices. WAM also provides a plugin framework that identity providers can build on and enable SSO to their applications relying on that identity provider.|
| **Microsoft Entra CloudAP plugin**| A Microsoft Entra specific plugin built on the CloudAP framework that verifies user credentials with Microsoft Entra ID during Windows sign in.|
 
| **Term** | **Description** |
| :--- | --- |
| **broker** | An identity broker is a service that acts as an intermediary between identity providers (IdPs) and service providers (SPs), simplifying authentication and authorization. Web Account Manager is an example of an identity broker.|
| **Cloud Authentication Provider (CloudAP)**| CloudAP is the modern authentication provider for Windows sign in, that verifies users logging to a Windows 10 or newer device. CloudAP provides a plugin framework that identity providers can build on to enable authentication to Windows using that identity provider's credentials. |
| **Web Account Manager (WAM)**| WAM is the default token broker on Windows 10 or newer devices. WAM also provides a plugin framework that identity providers can build on and enable SSO to their applications relying on that identity provider.|
| **Microsoft Entra CloudAP plugin**| A Microsoft Entra specific plugin built on the CloudAP framework that verifies user credentials with Microsoft Entra ID during Windows sign in.|
Modified by Justin Hall on Jul 6, 2026 8:03 AM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Split passkey docs (2/5): Passkey in Microsoft Authenticator (enable/register/sign-in) (#13774)
Changes:
Before
After
 
## Users get in a loop when they try to add passkey in Authenticator
 
Organizations that are deploying passkeys and have Conditional Access policies that require phishing-resistant authentication when accessing **All resources (formerly 'All cloud apps')** can run into a looping issue when users attempt to add a passkey to Microsoft Authenticator. For more information and possible workarounds, see [Workarounds for an authentication strength Conditional Access policy loop](~/identity/authentication/how-to-support-authenticator-passkey.md#workarounds-for-an-authentication-strength-conditional-access-policy-loop).
 
## Invitation is blocked due missing cross-tenant access settings
 
 
## Users get in a loop when they try to add passkey in Authenticator
 
Organizations that are deploying passkeys and have Conditional Access policies that require phishing-resistant authentication when accessing **All resources (formerly 'All cloud apps')** can run into a looping issue when users attempt to add a passkey to Microsoft Authenticator. For more information and possible workarounds, see [Workarounds for an authentication strength Conditional Access policy loop](~/identity/authentication/how-to-enable-authenticator-passkey.md#workarounds-for-an-authentication-strength-conditional-access-policy-loop).
 
## Invitation is blocked due missing cross-tenant access settings
 

πŸ—‘οΈ Deleted Documentation Files

DELETED docs/identity/authentication/how-to-support-authenticator-passkey.md
Deleted by Justin Hall on Jul 6, 2026 8:03 AM
πŸ“– Was available at: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-support-authenticator-passkey
-92 lines removed
Commit: Split passkey docs (2/5): Passkey in Microsoft Authenticator (enable/register/sign-in) (#13774)
DELETED docs/identity/authentication/how-to-register-passkey-mobile.md
Deleted by Justin Hall on Jul 6, 2026 4:29 PM
πŸ“– Was available at: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-mobile
-74 lines removed
Commit: Split passkey docs (1/5): synced passkey register/sign-in + remove mobile article (#13773)