Microsoft Entra Enhances Identity Security with Passkeys and Linux MFA
Microsoft Entra rolls out phishing-resistant MFA for Linux desktops and introduces passkey support to bolster zero trust strategies and simplify identity management.
Microsoft has significantly bolstered its Entra identity and network access platform with a suite of new features aimed at strengthening zero trust architectures and improving user experience. Over the past month, the company has pushed several updates, including phishing-resistant multi-factor authentication (MFA) for Linux desktops, expanded passkey support, and streamlined governance capabilities.
The most notable addition is the availability of phishing-resistant MFA on Linux desktops, specifically supporting Ubuntu 24.04 and 26.04, and RHEL 8, 9, and 10. This feature, accessible via the Microsoft identity broker, brings Linux environments up to par with existing Windows and macOS support, ensuring a consistent and robust authentication experience across diverse operating systems.
Further enhancing authentication security, Microsoft Entra is now integrating passkey registration campaigns. Administrators can prompt users to register passkeys, including FIDO2 credentials, during sign-in. Users can also register device-bound passkeys using Windows Hello, enabling phishing-resistant logins with biometrics or a PIN, even on devices not joined or registered with Microsoft Entra. This move aligns with broader industry trends towards passwordless authentication.
For large organizations, the new High Scale Compatibility (HSC) mode for Azure AD B2C customers facilitates smoother migration to Microsoft Entra External ID. This mode allows organizations with millions of objects to transition applications without requiring users to re-register or reset passwords, minimizing disruption. System-preferred authentication is also being rolled out, enabling the service to automatically select the highest-ranked authentication method available for each user, optimizing both security and convenience.
In terms of governance and management, Microsoft Entra now allows for the synchronization of security groups and memberships between tenants, enabling centralized management and consistent access control. Administrators can also view all accounts within connected applications, including orphaned accounts, through discovery reports, helping to identify and address access gaps. The App Deactivation feature provides a secure way to disable applications without deletion, preserving configuration data for security investigations or temporary suspensions.
New features in public preview include domain-less SAML federation for workforce tenants, which simplifies sign-in for external users by removing the need for email domain matching. Sensitivity labels for Entra security groups are also in preview, allowing administrators to apply Microsoft Purview labels to security groups for consistent governance. Additionally, Device Soft Delete offers a recoverable state for deleted devices, mitigating the risk of accidental data loss.
Microsoft is also refining policy enforcement, with Conditional Access policies set to apply during registration for Windows Hello for Business and macOS Platform SSO starting July 6, 2026. This ensures that users meet specific security requirements, such as MFA or device compliance, before completing registration for these authentication methods.
These comprehensive updates underscore Microsoft's commitment to advancing identity security and enabling organizations to build resilient zero trust environments. By expanding support for modern authentication methods like passkeys and extending robust security features to diverse platforms like Linux, Microsoft Entra aims to provide a more secure, flexible, and user-friendly identity management experience.