Stay ahead of the curve with the latest news, ideas and resources on all things Identity Assurance and Passwordless.
Microsoft Passkey Provisioning API: Your Questions, Answered
Since Microsoft confirmed general availability of the Passkey Provisioning API, we've heard the same handful of questions from customers, prospects, and partners evaluating what it actually means for their Entra ID environment. Here's what we're telling them.
Eugene Grinvald
7 Min. Read | July 16, 2026
What is the Passkey Provisioning API?
The Passkey Provisioning API enables organizations to issue passkeys to employees directly, instead of relying on each user to set one up through self-service enrollment.
The API is part of Microsoft Graph and gives developers and authentication vendors a way to support passkey provisioning through two core steps:
- Retrieving credential creation options
- Completing registration of the passkey to the user.
In practical terms, this means IT and security teams can issue phishing-resistant credentials without waiting for employees to complete enrollment on their own.
Microsoft’s Passkey Provisioning API makes passkeys easier to issue. HYPR makes them safer to trust.
Why does this matter now?
Microsoft is accelerating the enterprise move away from phishable authentication methods and toward passkeys.
Beginning September 1, 2026, Microsoft says it will begin rolling out passkeys as the default authentication experience in Microsoft Entra ID for users enabled for SMS or voice authentication. Microsoft has also announced that, beginning February 1, 2027, it will retire Microsoft-provided telecom delivery for SMS and voice authentication as a native Entra capability.
That creates a clear call to action for enterprises: passkeys are no longer just a future-state authentication goal. They are becoming the operating model for phishing-resistant access.
But deploying passkeys at enterprise scale requires more than availability. Organizations need a way to issue them consistently, verify the person receiving them, recover them securely, and manage them across the full credential lifecycle.
That is where HYPR adds value.
What does this enable organizations to do?
The general availability of Microsoft’s Passkey Provisioning API gives enterprises a more scalable way to deploy passkeys across the workforce.
Organizations can now support use cases such as:
- Day-one passkey issuance during onboarding: New employees can start with a passkey from the beginning and never use a password.
- Bulk migration to passwordless authentication: IT teams can move large populations to passkeys without depending on voluntary self-enrollment.
- Migration from passwords and legacy MFA: Organizations can replace password-only or password-plus-MFA flows with phishing-resistant, passwordless authentication.
- Help desk-driven enrollment: Support teams can issue or recover access using stronger workflows instead of falling back to password resets.
For Entra ID-based enterprises, this is a major step toward making passkey adoption operationally practical at scale.
What else becomes possible now that the API is generally available?
For HYPR, the API unlocks higher-assurance workflows that go beyond simply creating a credential.
Passkeys are powerful, but organizations also need to know that the right person is receiving the credential. That is where identity verification, credential lifecycle management, and recovery become critical.
With HYPR, organizations can add identity verification before passkey issuance in scenarios such as:
- New employee onboarding: Verify the identity of interns, contractors, and new hires before issuing an enterprise passkey.
- Return-to-work scenarios: Re-verify employees returning from furlough, parental leave, sabbatical, or other extended absences.
- Account recovery: Use identity verification and Temporary Access Passes instead of reverting to passwords or OTP codes when a user loses a device.
- Help desk requests: Confirm user identity before fulfilling high-risk support requests, especially when no prior verified identity exists.
- Third-party and vendor access: Apply verified identity and passkey-based authentication to external users who need higher-assurance access.
The result is not just passwordless authentication. It is passwordless authentication tied to a verified identity.
What is the relationship between the Passkey Provisioning API and Entra ID External MFA?
The Passkey Provisioning API and Entra ID External MFA address different parts of the identity lifecycle.
Microsoft’s External MFA for Entra ID allows third-party authentication providers such as HYPR to operate as native-like authentication methods within Entra ID. These methods can be used across Conditional Access, Privileged Identity Management, Identity Protection, and Microsoft sign-in experiences. HYPR was an early partner and one of the first External MFA providers.
The Passkey Provisioning API addresses a different but related need: credential issuance.
Put simply:
- The Passkey Provisioning API supports the issuance event. It enables a passkey to be created and registered to a user in Entra ID.
- External MFA supports the authentication event. It enables a third-party provider such as HYPR to participate in the sign-in flow.
These are two different points in the identity lifecycle, but they reflect the same strategic direction: Microsoft is opening key identity workflows so enterprises can use specialized providers where higher assurance, flexibility, or broader workforce coverage is required.
Together, these capabilities help organizations overcome several long-standing challenges:
- Identity verification and credential issuance can now be connected. Instead of verifying identity in one workflow and issuing credentials in another, HYPR can help bring those steps together.
- Passkey adoption no longer depends on voluntary self-service enrollment. IT can mandate and manage enrollment at scale.
- Access to Microsoft 365 can be modernized without relying solely on federation or legacy web SSO patterns. Organizations can use OIDC, Conditional Access policies, and session controls across application types.
Why do enterprises need an external option?
Native Entra ID authentication methods can work well for organizations with highly standardized, Windows-centric environments. But many enterprises have more complex realities: mixed device fleets, non-Microsoft operating systems, hybrid identity environments, external workers, contractors, vendors, and multiple identity platforms.
That complexity creates gaps that a single platform may not fully address on its own.
Microsoft’s recent moves show a clear pattern: build and secure the core identity platform, while enabling specialist providers to handle advanced enterprise requirements such as high-assurance identity verification, phishing-resistant authentication, recovery, and lifecycle management.
For organizations with diverse workforces and heterogeneous environments, that flexibility matters.
Will this work for my organization?
For many Entra ID customers, yes. The exact deployment model will depend on your identity architecture, device estate, authentication policies, assurance requirements, and existing credential strategy.
If your organization uses Microsoft Entra ID, including hybrid environments where identities are synced from on-premises Active Directory, this capability is relevant. Microsoft supports passkey, or FIDO2, sign-in for both Microsoft Entra joined and Microsoft Entra hybrid joined devices, with single sign-on extending to on-premises resources.
Because the provisioning API operates on the Entra ID user object, it applies whether the identity originated in the cloud or was synced from on-premises Active Directory.
That makes this announcement relevant to a broad share of the enterprise market, not just a narrow set of cloud-only organizations.
What is the key takeaway?
Microsoft’s Passkey Provisioning API makes it easier to create and assign passkeys to users. That is an important step, but it does not, by itself, answer every enterprise identity question.
A provisioning API can create a credential for a user object. It does not verify who the person is before the credential is issued. It also does not manage the full lifecycle of that credential, including recovery, deprovisioning, audit history, or answering the question: who had access, when, and why?
HYPR closes that gap.
HYPR Affirm verifies identity before a credential is issued, using methods such as document verification, biometric matching, or knowledge-based verification depending on the organization’s assurance requirements. HYPR Authenticate then provisions a FIDO2 passkey or Enterprise Passkey to that verified identity and manages the credential through its full lifecycle, including enrollment, recovery, deprovisioning, and auditability.
This approach works across Microsoft Entra ID, including cloud and hybrid environments, as well as identity ecosystems such as Okta, Ping, and Yubico-backed deployments.
For organizations evaluating Microsoft’s Passkey Provisioning API, the real opportunity is not just issuing passkeys faster. It is issuing them with confidence, tying every credential to a verified identity, and managing that credential securely from onboarding through recovery and deprovisioning.
Microsoft’s API makes passkey issuance scalable. HYPR makes it identity-assured, lifecycle-managed, and enterprise-ready.
To see how HYPR works with Microsoft Entra ID as both an External MFA provider and a complete solution for identity verification, passwordless authentication, and Enterprise Passkeys, explore the HYPR + Entra ID integration or watch a demo.
Eugene Grinvald
Eugene Grinvald is Senior Product Manager for HYPR Authenticate, where he helps shape the future of passwordless authentication and high-assurance identity solutions. With a background in authentication, identity, and enterprise access, Eugene is passionate about building products that strengthen security while delivering seamless user experiences. At HYPR, he focuses on solving complex identity challenges for modern enterprises.
Related Content