Microsoft Just Made Passkeys Mandatory. Here Is What That Means.

Microsoft has begun auto-enabling passkeys across Entra ID tenants, effectively ending the voluntary adoption phase of passwordless authentication. This isn't a feature rollout—it's Microsoft telling businesses that password-dependent security is no longer acceptable. UK mid-market companies relying on traditional MFA will find themselves transitioned whether they're ready or not.

Why Microsoft Is Forcing the Change

Passkeys eliminate the phishing vulnerabilities that plague password-based systems, even those protected by SMS or app-based MFA. With UK businesses losing an average of £4,200 per successful phishing attack according to the government's Cyber Security Breaches Survey, Microsoft's position is commercially and technically sound. The company is also responding to regulatory pressure from frameworks like NIS2, which explicitly requires phishing-resistant authentication for critical infrastructure providers.

The auto-enablement signals Microsoft's recognition that voluntary adoption has stalled. Despite passkeys being available in Entra ID for over a year, uptake among mid-market businesses remains minimal. By making the transition mandatory, Microsoft is forcing the security conversation that many boards have been avoiding.

Immediate Implications for UK Businesses

Companies using Microsoft 365 or Azure services will see passkey options appearing in their authentication flows without advance configuration. This creates immediate user confusion and potential support overhead if not properly managed. Finance teams using legacy applications that don't support modern authentication protocols face particular disruption.

The compliance implications are equally significant. Organisations subject to GDPR, FCA regulations, or preparing for NIS2 compliance will find passkeys strengthen their technical safeguards considerably. However, the transition period creates audit risks if authentication policies aren't properly documented and communicated to staff.

Most critically, businesses that fail to plan for this transition will experience it as an emergency rather than a strategic upgrade. User resistance, application compatibility issues, and support desk overload become inevitable when passwordless authentication appears without preparation.

Technical Dependencies and Risks

Passkey implementation requires device-level security capabilities that not all business hardware supports. Older laptops lacking TPM chips or biometric readers cannot participate in passwordless authentication, forcing costly hardware refreshes or complex workarounds. Companies must audit their device inventory immediately to identify compatibility gaps.

Application integration presents the larger challenge. Legacy line-of-business applications that rely on basic authentication or older SAML implementations may break entirely. Finance systems, CRM platforms, and sector-specific applications require testing and potentially expensive upgrades to support modern authentication flows.

The dependency on device management also creates new failure modes. When an employee's laptop or phone becomes their primary authentication device, device loss or failure can completely block access to business systems. Recovery procedures become more complex but also more critical.

Strategic Response for Boards

Boards should treat this Microsoft announcement as a forcing function for comprehensive identity strategy review. Rather than reactive implementation, use the transition to establish proper identity governance across all business applications, not just Microsoft services. This includes documenting who has access to what, implementing proper joiners-movers-leavers processes, and establishing clear authentication policies for different risk levels.

The investment in passkey-compatible devices and applications should be viewed as foundational security infrastructure, not an optional upgrade. Companies that embrace this transition strategically will find themselves significantly more secure and better positioned for future regulatory requirements. Those that resist will find themselves managing increasingly complex workarounds while remaining vulnerable to the phishing attacks that passkeys eliminate entirely.