Passkey (FIDO2) authentication matrix with Microsoft Entra ID

Microsoft Entra ID allows passkeys (FIDO2) to be used for multifactor passwordless authentication. This article covers which native applications, web browsers, and operating systems support sign-in using passkey with Microsoft Entra ID.

For enabling FIDO2 security keys to unlock a Windows device, see Enable FIDO2 security key sign-in to Windows 10 and 11 devices with Microsoft Entra ID.

Note

Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. Microsoft is committed to securing customers and users with passkeys. We are investing in both synced and device-bound passkeys for work accounts.

Web browsers

The following section covers support for passkey (FIDO2) authentication in web browsers with Microsoft Entra ID.

OS	Chrome	Edge	Firefox	Safari
Windows	✅	✅	✅	N/A
macOS	✅	✅	✅	✅
ChromeOS	✅	N/A	N/A	N/A
Linux	✅	✅	✅	N/A
iOS	✅	✅	✅	✅
Android	✅	✅	❌	N/A

Considerations for each platform

Windows

• Sign-in with security key requires one of the following items:
  • Windows 10 version 1903 or later
  • Chromium-based Microsoft Edge
  • Chrome 76 or later
  • Firefox 66 or later

macOS

• Sign-in with passkey requires macOS Catalina 11.1 or later with Safari 14 or later because Microsoft Entra ID requires user verification for multifactor authentication.
• Near-field communication (NFC) and Bluetooth Low Energy (BLE) security keys aren't supported on macOS by Apple.
• New security key registration doesn't work on these macOS browsers because they don't prompt to set up biometrics or PIN.
• See Sign in when more than three passkeys are registered for Safari on macOS.

ChromeOS

• NFC and BLE security keys aren't supported on ChromeOS by Google.
• Security key registration isn't supported on ChromeOS or Chrome browser.

Linux

• Sign-in with passkey in Microsoft Authenticator isn't supported in Firefox on Linux.

iOS

• Sign-in with passkey requires iOS 14.3 or later because Microsoft Entra ID requires user verification for multifactor authentication.
• BLE security keys aren't supported on iOS by Apple.
• NFC with FIPS 140-3 certified security keys isn't supported on iOS by Apple.
• New security key registration doesn't work on iOS browsers because they don't prompt to set up biometrics or PIN.
• See Sign in when more than three passkeys are registered.

Android

• Sign-in with passkey requires Google Play Services 21 or later because Microsoft Entra ID requires user verification for multifactor authentication.
• BLE security keys aren't supported on Android by Google.
• Security key registration with Microsoft Entra ID isn't yet supported on Android.
• Sign-in with passkey isn't supported in Firefox on Android.

Known issues

Sign in when more than three passkeys are registered

If you registered more than three passkeys, sign in with a passkey might not work on iOS or Safari on macOS. If you have more than three passkeys, as a workaround, click Sign-in options and sign in without entering a username.

Native apps

The following section covers support for passkey (FIDO2) authentication in Microsoft and third-party applications with Microsoft Entra ID.

Note

Passkey authentication with a third-party Identity Provider (IDP) isn't supported in third-party applications using authentication broker, or Microsoft applications on macOS, iOS, or Android at this time.

Native application support with authentication broker

Microsoft applications provide native support for passkey authentication for all users who have an authentication broker installed for their operating system. Passkey authentication is also supported for third-party applications using the authentication broker.

If a user installed an authentication broker, they can choose to sign in with a passkey when they access an application such as Outlook. They're redirected to sign in with passkey, and redirected back to Outlook as a signed in user after successful authentication.

The following tables lists which authentication brokers are supported for different operating systems.

OS	Authentication broker
iOS	Microsoft Authenticator
macOS	Microsoft Intune Company Portal
Android	Authenticator, Company Portal, or Link to Windows app

Microsoft application support without authentication broker

The following table lists Microsoft application support for passkey (FIDO2) without an authentication broker. Update your apps to the latest version to make sure they work with passkeys.

Application	macOS	iOS	Android
Remote Desktop	✅	✅	❌
Windows App	✅	✅	❌
Microsoft 365 Copilot (Office)	N/A	✅	❌
Word	✅	✅	❌
PowerPoint	✅	✅	❌
Excel	✅	✅	❌
OneNote	✅	✅	❌
Loop	N/A	✅	❌
OneDrive	✅	✅	❌
Outlook	✅	✅	❌
Teams	✅	✅	❌
Edge	✅	✅	❌

Third-party application support without authentication broker

If the user has yet to install an authentication broker, they can still sign in with a passkey when they access MSAL-enabled applications. For more information about requirements for MSAL-enabled applications, see Support passwordless authentication with FIDO2 keys in apps you develop.

Considerations for each platform

Windows

• Sign-in with FIDO2 security key to native apps requires Windows 10 version 1903 or later.
• Sign-in with passkey in Microsoft Authenticator to native apps requires Windows 11 version 22H2 or later.
• Microsoft Graph PowerShell supports passkey (FIDO2). Some PowerShell modules that use Internet Explorer instead of Edge aren't capable of performing FIDO2 authentication. For example, PowerShell modules for SharePoint Online or Teams, or any PowerShell scripts that require admin credentials, don't prompt for FIDO2.
  • As a workaround, most vendors can put certificates on the FIDO2 security keys. Certificate-based authentication (CBA) works in all browsers. If you can enable CBA for those admin accounts, you can require CBA instead of FIDO2 in the interim.

iOS

• Sign-in with passkey in native apps without Microsoft Enterprise Single Sign On (SSO) plug-in requires iOS 16.0 or later.
• Sign-in with passkey in native apps with the SSO plug-in requires iOS 17.1 or later.

macOS

• On macOS, the Microsoft Enterprise Single Sign On (SSO) plug-in is required to enable Company Portal as an authentication broker. Devices that run macOS must meet SSO plug-in requirements, including enrollment in mobile device management.
• Sign-in with passkey in native apps with the SSO plug-in requires macOS 14.0 or later.

Android

• Sign-in with FIDO2 security key to native apps requires Android 13 or later.
• Sign-in with passkey in Microsoft Authenticator to native apps requires Android 14 or later.
• Sign-in with Yubico-manufactured FIDO2 security keys with YubiOTP enabled might not work on Samsung Galaxy devices. As a workaround, users can disable YubiOTP and attempt to sign in again.

Next steps

Enable passwordless security key sign-in