Before deploying a single Conditional Access policy, three things have to be in place: two break-glass accounts with FIDO2 keys, a clean exclusion group pattern, and sign-in logs wired to alerts. Part 2 of the series — the foundations that stop a misconfigured policy from becoming a business-hours incident.

Microsoft Entra ID passkey profiles reached GA in 2026, and tenants with FIDO2 already enabled may have been migrated automatically. This article explains what changed, how device-bound and synced passkeys differ, and the key settings to review now.

MFA enabled does not equal identity protected. Learn how to design phishing-resistant access using Microsoft Entra ID, Authentication Strengths, and Conditional Access to defend against AiTM and MFA fatigue attacks.