Phishing-resistant MFA CA allows passkey enrollment but fails with generic WebAuthn error

Title: Phishing-resistant MFA CA allows passkey enrollment but fails with generic WebAuthn error

My tenant is currently locked: no Global Administrator account can sign in anymore.

I think I may have hit a weird edge case with Entra Conditional Access + Authentication Strengths.

What I configured:

• Conditional Access targeting all admin roles
• All cloud apps
• Grant → Require authentication strength
• Authentication strength = Phishing-resistant MFA

What’s strange:

Accounts that already had a phishing-resistant method registered BEFORE the CA policy work fine.

But for admin accounts without an existing PR MFA method:

• Entra correctly redirects them to passkey / WHfB registration
• the registration process appears to complete
• then it fails with a completely generic error like: “Something went wrong” or “”This might be due to a timeout, a canceled request or a private browsing window »

The weird part is:

• this happens across multiple PCs
• multiple admin accounts
• iPhone too
• Microsoft Authenticator passkeys
• Windows Hello for Business

It honestly looks like the passkey is successfully created locally on the device, but never properly registered/accepted by Entra afterwards.

What makes me think this may not simply be “working as designed”:

• Audit mode showed no failures before enforcement
• Existing PR MFA methods continue to work
• Entra DOES allow/pass users into the enrollment flow
• the failure happens only at the very end with a generic WebAuthn-style error message instead of a proper Conditional Access policy violation

Microsoft support already reproduced the issue through screen sharing and escalated the case.

Has anyone seen this behavior specifically with:

• Authentication Strengths
• Phishing-resistant MFA
• Microsoft Authenticator passkeys
• WHfB enrollment after CA enforcement?