Share via

How to use Windows Hello to store FIDO2 passkey for Entra

Christoph Kling 20 Reputation points
2025-05-25T20:10:08.8566667+00:00

With Microsoft personal accounts, you can easily use a passkey stored in Windows Hello of your Windows device to authenticate. You can see the passkey for login.microsoft.com in Windows settings / accounts / passkeys. With Microsoft work or school accounts, this seems not to work. Apparently, you cannot store the passkey in Windows Hello.

In our organization, almost all users bring their own device and we do not manage these devices. The devices are enrolled in Entra but not in Intune. That's why we probably cannot use Windows Hello for Business. It seems that Windows Hello for Business requires device enrollment.

So we added FIDO2 as authentication method in Entra. Users are now able to add a passkey to login to their account. However, if you want to add the passkey, you can only save it on an IOS or Android device but not in Windows Hello of your Windows device.

Why is that so? How can I replicate the login process that is available for Microsoft personal accounts?

Thank you!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. PRATIK JADHAV 170 Reputation points Microsoft External Staff Moderator
    2025-05-26T13:59:22.6166667+00:00

    Hello @Christoph Kling ,

    Why is that so?

    • Windows Hello on unmanaged Windows devices doesn’t store FIDO2 passkeys for Entra ID accounts because Microsoft requires the device to be Azure AD-joined and managed (e.g., via Intune) to trust the platform authenticator. Personal Microsoft accounts don’t have this restriction, so passkeys can be stored directly in Windows Hello.

    How can I replicate the personal account login experience?

    To replicate it for personal accounts, use one of the following options:

    • Azure AD-join and enable Windows Hello for Business (requires device management).
    • Use FIDO2 security keys or mobile passkeys (iOS/Android), which work without managing the device.

    Is it possible to configure Entra ID to lower the FIDO2 trust level so Windows Hello can store passkeys on unmanaged devices?

    • Microsoft Entra ID does not currently support lowering the trust level required for FIDO2 passkeys to enable storage in Windows Hello on unmanaged or non-Azure AD-joined Windows devices.
    • Windows Hello cannot be used to store FIDO2 passkeys for Entra ID accounts on unmanaged or non-Azure AD-joined devices.

    Is there a tenant policy that allows this?

    • There is no tenant-level policy or configuration currently available that allows administrators to relax the trust requirements for FIDO2 passkey storage in Windows Hello on unmanaged devices

    If this answer was helpful to you, please click Accept Answer and mark Yes for was this answer helpful, which may help members with similar questions.
    User's image

    If you have more questions or are still experiencing issues, feel free to ask in the "comments" section and I’ll be happy to assist you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.