Plan and enforce Entra ID passkeys with ease

The Passkey Deployment Helper simplifies your IT department's rollout plan to enforce passkeys.

Request a Demo

What are Passkeys?

Passkeys are the next generation of authentication. They replace push MFA, 2FA codes, SMS and passwords with a faster, easier, and more secure alternative. They follow FIDO2 standards, and are a form of 'phish-resistant MFA', protecting against modern attacks where traditional MFA falls short.

{{ passkey.title }}

Registering a passkey does not force it's use on Entra ID!

Attacker-in-the-Middle (AitM) downgrade attacks are the next big phishing threat. Sitting between the user and Microsoft, and attacker is able to request Microsoft to use an insecure MFA method (e.g. SMS or number matching).

Identities need to be in scope of a Conditional Access Policy to enforce the use of passkeys and prevent AitM downgrade attacks. Applying the policy to an identity is likely to log out the user and may prevent them from signing in if they have not registered passkeys correctly.

This raises the question: How and when do you enforce passkeys on your users? Do you enforce team by team or region by region? What if the user is in the middle of a Teams meeting and they will be signed out?

Self-service with the passkey deployment helper is the answer!

A one-stop app to guide users through the entire process, from registering to enforcing. It even helps IT teams monitor and plan the deployment. User features include:


  • Check if the user is ready: Which methods are registered to the user, with guidance against particular methods.
  • Record MS Authenticator phone incompatibility: With (optional) automated exclusion from the CA policy.
  • Test passkey sign-in: Without enforcement, allows user to validate their device/passkey combo works.
  • Flag issues for IT support: Follow up directly, and configure (optionally) automated pausing of enforcement.
  • Custom organisation specific URLs: For guidance docs and raising support requests.
  • Single-sign-on (SSO): As standard.

How Does It Work?

Our solution integrates directly with your Entra ID tenant. The self-service application uses a least privilege approach to add users to defined Entra ID groups as a trusted intermediary. Outside of the scope of the application, the groups are used as part of organisation designed Conditional Access policies.

No personal data is held on our servers.

Components of the Solution

{{ feature.title }}

{{ feature.description }}

Simple for End-Users

The user-facing application provides a clear, customisable, step-by-step process. It checks their current setup, guides them if needed, and lets them enforce passkeys with a single click when they are ready.

User SPA with app passkeys registered. User SPA with app passkeys not registered.
User SPA with app passkeys confirmed.

Powerful for Administrators

The admin portal gives you a complete overview of the rollout progress. Track adoption rates, see which users have completed the process, and identify users who may need assistance.

Admin dashboard showing passkey adoption graphs and user progress.
Admin audit log showing recent changes to user enforcement groups. Users that need action with button to email them.

Ready to try?

Take the first step towards a passwordless future. Get in touch to see how the Passkey Deployment Helper can work for you.

Contact Us Now