Forum Discussion
Microsoft Authenticator Passkeys for Entra ID on unmanaged devices
Hello, has anyone successfully registered passkeys on an unmanaged phone in an organisation with device compliance policies?
Use case is to provide a phishing-resistant MFA option via Authenticator app for logging into apps on their desktop. Users already have authenticator app on their phone and do number matching MFA.
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS
When I select "Create a passkey" - I need to log into my account. However I'm blocked from successful authentication because I have conditional access policies to require compliant devices. As my mobile phone is not enrolled into Intune, I never get to the step where the passkey is created and registered.
Based on the constraints - it seems like passkeys cannot be used for unmanaged/BYOD devices for organisations that have device compliance policies. It can only be used for users who have enrolled their mobile phone.
Looking to see if anyone has tips or different experience using passkeys on unmanaged mobile phones to log into Entra?
1 Reply
With the current Microsoft Entra conditional access framework, passkeys in the Authenticator app cannot be registered on unmanaged or BYOD devices when device compliance is enforced. The registration process requires a successful sign‑in, which is prevented by the compliant‑device requirement. As a result, passkeys can only be provisioned and used on mobile devices that are enrolled in Intune or otherwise designated as compliant.
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey
https://techcommunity.microsoft.com/discussions/microsoft-entra/block-access-with-conditional-access-for-unmanaged-devices/4065902
