Starting late January 2025, organizations with enabled passkey (FIDO2) policy and no key restrictions will have passkeys in the Microsoft Authenticator app. Users can add this via aka.ms/MySecurityInfo, and it's enforced by Conditional Access policy. Organizations preferring not to enable this can impose key restrictions.
Applies to: Microsoft Entra
Source: mc.merill.net — data via Merill Fernando's open archive (MIT).