Like other members, on March 13, 2025, I confirm that passkeys now works with 1Password in Microsoft 365 account. We need to select "Security key" when adding a new authentication method, then choose "USB Device".

As others said, the configuration of FIDO authentication in admin 365 must have Attestation disabled.

Page : https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/

Update: I just tried today and it FINALLY worked for "synced" Passkeys and creating it within 1Password!!  I no longer have to use that stupid "Microsoft Authenticator" app anymore!!  So it appears within the last 3 weeks or so (since the last time I tried), Microsoft finally enabled the ability!!

I have two Microsoft Exchange accounts (two different companies).  One company it gave me the option of "Security Key or Passkey" (did NOT say "(Preview)" on it, so it appears it was out of "preview".  But after I created it, I went back to get a screenshot and that option then disappeared, leaving only "Security Key" or "Passkey in Microsoft Authenticator").  The other company it didn't have that "Security Key or Passkey" option, so I had to use "Security Key" and then selected either "USB device" or "NFC device" (both worked with 1Password).

For the "Security Key or Passkey", I was able to set it up on an iPhone using 1Password as the passkey provider.

But for the "Security Key" option, I had to do it via a PC (I was using Firefox, if it mattered with the 1Password Extension set as Firefox's default password manager).  If I attempted in iPhone using the "Security Key" option it asked me to connect the device to the phone, it wouldn't prompt to save it in 1Password, even with that being my iPhone's default Passkey provider (I am not using iCloud Keychain).

NOTE: it was giving an error at first, if "Enforce Attestation" was enabled.  But when I turned that off (I am an admin for both companies), and also turned off "Enforce Key Restrictions", then it worked.   This was even when I had the AAGUID for 1Password in the "allowed" list, but the warning still said that "my organization" didn't allow it.

Nothing has really changed, it's still limited to device bound passkeys except if you want to use the Microsoft Auth app.
The only thing that changed recently, is that passkeys on Microsoft Auth app has also been enabled for tenants who do don't enforce key restrictions.

aared Same behavior with my tenant I tested it. Normally I have a key restriction enabled but I have same message with and without restriction. I let you know if it should work in my tenant.

According to the post from Backspaze on Page 2, it should be ready by now (estimated mid-Jan 2025). I'm 99% there but then it fails:

Microsoft admin can enable passkeys through the portal on entra.microsoft.com
and can avoid enabling key restrictions (disabled by default)

which allows non-microsoft-authenticator passkey creation
and it gets to the last step
but then it fails

The update I have from Microsoft support is the following:

"Microsoft is committed to securing customers and users with passkeys. We are investing in both synced and device-bound passkeys for work accounts."

The TDLR is that it is coming, but a date has not yet been set.

It does look like Passkeys are currently just limited to Microsoft Authenticator.

Having said the above, I have put in a query to Microsoft Support to see if there is any movement on this on the horizon, as a synched Passkey would be very helpful for a lot of us.

This appears to limit Passkeys to Microsoft Authenticator so we still won't be able to use these in 1Password, no?

Microsoft has released more information.

Microsoft Entra: Enablement of Passkeys in Authenticator for passkey (FIDO2) organizations with no key restrictions

Beginning mid-January 2025, after the General Availability of passkeys in the Microsoft Authenticator app, organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions will be enabled for passkeys in the Microsoft Authenticator app in addition to FIDO2 security keys. This update aligns with the broader availability of passkeys in Entra ID, extending from device-bound passkeys on security keys to device-bound passkeys also on user devices. Users who navigate to aka.ms/MySecurityInfo will see "Passkey in Microsoft Authenticator" as an authentication method they can add. Additionally, when Conditional Access (CA) authentication strengths policy is used to enforce passkey authentication, users who don't yet have any passkey will be prompted inline to register passkeys in Authenticator to meet the CA requirements. If an organization prefers not to enable this change for their users, they can work around it by enabling key restrictions in the passkey (FIDO2) policy. This change will not impact organizations with existing key restrictions or organizations that have not enabled the passkey (FIDO2) policy.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): Rollout will happen mid-January 2025.

How this will affect your organization:

Who will be impacted: Organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions set.

Who will not be impacted: Organizations that do not have the passkey (FIDO2) authentication methods policy enabled and organizations that have the passkey (FIDO2) authentication methods policy enabled and have key restrictions set.

What you need to do to prepare:

This rollout will happen automatically with no admin action required. You may want to notify your users about this change and update any relevant documentation as appropriate.

Piebas Its up to Microsoft at this point...