Huge Entra Passkeys changes – Part 2

In Part 1 we looked at how enabling synced passkeys in Entra immediately enables support for iCloud Keychain and Google Password Manager in addition to Microsoft Authenticator mobile app. We also talked about how it can potentially provide an intruder with an additional attack vector, as securing the passkey provider

So for my last post in 2025, I want to share that Microsoft’s announcement also pointed to other providers, and this is where things get really interesting. Bitwarden and 1Password aren’t just password managers anymore! They’re now part of the passkey ecosystem in Entra. That means if your organization already relies on one of these vaults, you don’t have to bend workflows or retrain users to fit into Apple or Google’s world. Instead, Entra meets you where you (hopefully) are.

Passkey managers everywhere!

When Microsoft dropped the news at Ignite 2025, the headline wasn’t just “passkeys are syncable.” The real kicker was who they’re syncing with. We’re no longer locked into Microsoft Authenticator app, Apple’s iCloud Keychain or Google’s Password Manager! The announcement explicitly listed 1Password and Bitwarden as supported providers. That’s huge. Suddenly, passkeys aren’t just a neat demo tied to your phone’s ecosystem; they’re becoming a cross‑platform reality.

Synced passkeys are stored in platform or with other passkey providers such as Apple iCloud Keychain, Google Password Manager, 1Password, or Bitwarden

Think about it: If you’re already using 1Password for work credentials, or if your family shares vaults in Bitwarden, you don’t have to juggle two worlds anymore. Entra is saying, “bring your provider of choice, we’ll meet you there.” That’s a big shift from the old days of siloed identity, and it makes recovery, portability, and day‑to‑day usability way less painful.

Of course, flexibility cuts both ways. Each provider has its own sync model, its own account recovery story, and its own security posture. So yes, this is exciting, but it also means your organization’s risk profile now depends on which vault your users trust. Passkeys in Entra aren’t just a niche anymore. with 1Password and Bitwarden joining Apple and Google, they’re becoming a real ecosystem. 😲

Now, the wording in the announcement is “passkey providers such as…,” which to me reads more like examples than a hard, final list. In other words, Microsoft is pointing at iCloud Keychain, Google Password Manager, 1Password, and Bitwarden as the obvious ones today, but not necessarily saying only those will ever work. That’s an important nuance: It sets the expectation that support could expand, but it also means we shouldn’t assume every vault out there is plug‑and‑play just yet. I’ve tested with Nordpass for several tenants without any luck, but I’ve seen screenshots of other people making it work.

So for now, the safe takeaway is that Entra is officially embracing multiple providers, and that alone is a big step forward.

Practical usage

The neat part here is that bringing Bitwarden or 1Password into the mix as passkey providers doesn’t demand any extra knobs or hidden configuration steps. Once you’ve enabled synced passkeys, using the procedure I walked through in Part 1, you’re essentially ready to go.

🤔 Of course, there’s one obvious prerequisite: You need a valid account with whichever provider you want to use. That’s the anchor point, because Entra isn’t magically provisioning vaults for you. In my case, I already have Bitwarden in daily use, so it makes sense to lean on that for this demo. It keeps things realistic, and it shows how this works in a setup many of us already live in.

First step: Registering an Entra passkey with Bitwarden

In this demo I have a client where the Bitwarden browser extention is installed and signed in.

As always the end-user (Alex) begins in myaccount.microsoft.com, and he adds another MFA method. Just like in part 1, the user selects “Passkey“.

The wizard pops up and Alex selects “Next“.

Since the Bitwarden extention is active, signed in and unlocked, it automatically pops up and offers to store the passkey. Now Alex simply just clicks on “Save passkey as new login“.

Then just give the passkey a displayname (or keep the suggested name), click “Next” and “Done“.

And voila! Alex now has an additional passkey, this one is marked as synced and stored in Bitwarden. So far it has been easy, but how about signing in using a passkey?

The very cool result: Using an Entra passkey stored in Bitwarden

This is where the magic happens! With Bitwarden’s browser extension and your passkey stored securely, signing in becomes a one-click wonder!

👇 Watch the short video below! 👇

This is what I consider effortless access with security intact! Alex provides his user name, Bitwarden suggests the corresponding passkey in its vault. Just click to use it and you are signed in! Done! 😍

Sounds too good to be true? Not really, but there are a few things to keep in mind.

In this demo, I focused on showcasing user-friendliness. Bitwarden was already available and unlocked, making sign-in lightning fast. But as I mentioned in Part 1, introducing a third-party passkey provider adds new considerations, both for security and usability.

Think about the details: What happens when the Bitwarden extension locks? How and when do users unlock it? How secure are these extensions? Which browsers are in play? These seemingly small settings matter and with the users passkeys in play, they matter even more. I am not trying to discourage you, I’m trying to help you make an informed decision.

📢 But all in all, I think it is a HUGE step in the right direction!

Final thoughts

Short version: If you use password+MFA in your organization today, switching to passkeys, synced or not, is a HUGE improvement of your identity security! If you can use it, USE IT!

Longer version: Passkeys and password managers like Bitwarden are changing the game for secure, seamless sign-ins. The convenience is undeniable, but it comes with new considerations. When third-party providers enter the mix, we need to think beyond just user experience and dive into security, browser compatibility, extension behavior, and unlock methods. But as I also mentioned in part one, the advantages clearly outweigh the disadvantages!

The takeaway? This isn’t just a feature upgrade; it’s potentially a shift in how we approach identity security. Leave passwords and phish-able MFA in the past and move on to a passwordless and phishing resistant authentication method. It is here today!!

I truly hope as many as possible will prioritize a shift into passkeys in 2026!

🥳 Merry Christmas and a Happy New Year! 🥳