Add Passkey support to Active Directory

My personal recommendation is to use Windows Hello, TAP, and External Security keys attached to Entra ID accounts and then use https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises in order to obtain kerberos tickets to on-premises Active Directory.

Likewise, you should enable Credential Guard on all endpoints to guard those issued TGTs. Furthermore, for alternate accounts and such, you can leverage X.509 smart card certificates to do things like RDP sign-in as a different account.