Critical Need for Passkey Support in Microsoft Entra External ID (CIAM)

Question

We urgently need Passkey support (both device-bound and synced passkeys) in Microsoft Entra External ID (CIAM).

Our organization is currently delivering a major customer-facing project, and passwordless authentication is a key security and user experience requirement. While Passkeys are now GA in Microsoft Entra ID for workforce scenarios, we have not seen clear confirmation of GA availability for External ID customer sign-in flows.

For our external customers, supporting:

• Device-bound passkeys (FIDO2)

Synced passkeys (platform passkeys such as iCloud Keychain / Google Password Manager)

is critical to meet modern security standards and user expectations.

Without native passkey support in External ID, we are forced to rely on less secure or less user-friendly authentication methods, which significantly impacts both adoption and compliance requirements.

Can the product team please clarify:

Current status of passkeys in Entra External ID (Preview / GA?)

Expected GA timeline (if not yet released)

Whether both device-bound and synced passkeys will be supported for CIAM scenarios

This functionality is essential for our customer projects, and we would greatly appreciate an update on the roadmap.

Thank you.We urgently need Passkey support (both device-bound and synced passkeys) in Microsoft Entra External ID (CIAM).

Our organization is currently delivering a major customer-facing project, and passwordless authentication is a key security and user experience requirement. While Passkeys are now GA in Microsoft Entra ID for workforce scenarios, we have not seen clear confirmation of GA availability for External ID customer sign-in flows.

For our external customers, supporting:

Device-bound passkeys (FIDO2)

Synced passkeys (platform passkeys such as iCloud Keychain / Google Password Manager)

is critical to meet modern security standards and user expectations.

Without native passkey support in External ID, we are forced to rely on less secure or less user-friendly authentication methods, which significantly impacts both adoption and compliance requirements.

Can the product team please clarify:

Current status of passkeys in Entra External ID (Preview / GA?)

Expected GA timeline (if not yet released)

Whether both device-bound and synced passkeys will be supported for CIAM scenarios

This functionality is essential for our customer projects, and we would greatly appreciate an update on the roadmap.

Thank you.

Answer 1

Hello Elmer Figueroa

This feature request is related to customer authentication capabilities in Microsoft Entra External ID (CIAM)

Only work identities in Microsoft Entra ID, including FIDO2 device-bound passkeys and synced platform passkeys, are currently supported by GA. Nevertheless, External ID customer sign-in flows do not currently have native passkey capability.

The request falls under product design and roadmap clarification rather than a service outage or configuration issue because it concerns the product roadmap and feature availability.

Please raise a feedback here https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

Answer 2

Yeah, the weak MFA options, and lack of SSO/SAML capabilities to other Entra ID tenants can be tolerable if there is transparency it is being worked on.

OP check out Auth0 if you want a SaaS solution, or KeyCloak if your team can operate with self-hosting.

We ended up re-platforming to AWS and using Amazon Cognito.