Fido passkeys blocked by policy

You're encountering error code 135016 — "FIDO sign-in is disabled via policy" — even though you've enabled passkey sign-in and specified the correct AAGUIDs. This error is a known issue often because one or more policies or settings are not fully aligned across Azure AD (Microsoft Entra ID), Conditional Access, or Authentication Methods policy — even if FIDO2 appears enabled on the surface.

Go to Microsoft Entra Admin Center → Protection → Authentication methods → FIDO2 Security Key
Ensure FIDO2 is enabled (not just "targeted"). Check that the user/group is assigned in the targeting section. Verify that “Allow self-service set up” is ON. Ensure the AAGUID of your passkey is correctly entered and not misspelled.

Also, try temporarily removing CA restrictions or setting a policy allowing FIDO2 as the primary sign-in method.
Last, if you use Auth strengths within any CAP, go to Entra Admin Center → Protection → Authentication Strengths and confirm that your FIDO2 configuration is included in the expected strength set.

I know some Hybrid join devices also throw this error; you might want to test it on the Entra-joined device first. In any case, always check Sign-in Logs > Authentication Details > Sign-in method