In a startling development that has sent ripples through the cybersecurity community, threat actors are now masquerading as legitimate Microsoft Entra ID administrators to enroll fraudulent passkeys on behalf of unsuspecting users. This social‑engineering technique enables them to bypass traditional multi‑factor authentication (MFA) controls and obtain persistent, high‑privilege access to Microsoft 365 services such as Exchange Online, SharePoint, and Teams. The incident, disclosed by Microsoft’s threat intelligence team earlier this week, underscores a critical shift: attackers are moving away from credential‑theft toward manipulating identity‑centric enrollment flows.

How Passkey Enrollment Works

Before diving into the abuse, it helps to understand the legitimate Entra ID passkey registration process. When a user opts to create a passwordless sign‑in method, Entra ID generates a public‑key credential that is stored in the user’s device‑level authenticator and linked to the user’s Object ID. The service records the credential’s attestation format, the authenticator’s issuer, and a unique signature. During subsequent logins, the relying party (Microsoft 365) challenges the authenticator with a cryptographic nonce, and the stored credential signs the challenge to prove ownership. Because the enrollment flow is heavily automated, users often simply approve the request without scrutinizing the originating source.

Why Attackers Target Passkeys

Passkeys offer several security advantages over conventional passwords: they are resistant to phishing, cannot be reused across sites, and are tied to the device’s hardware root of trust. However, these same features make them attractive to adversaries who have already mastered credential‑less infiltration techniques. By inserting a malicious passkey enrollment, an attacker can:

  • Bypass MFA challenges because the signed response is accepted as a legitimate authentication factor.
  • Persist long‑term access — the credential remains valid until manually revoked, outliving session tokens.
  • Leverage privileged accounts if the compromised user belongs to an elevated role, granting the attacker extensive permissions.

Technical Breakdown of the Attack Flow

The typical attack unfolds in four stages:

  1. Reconnaissance – Threat actors gather information on target users, often through open‑source intelligence (OSINT) or prior phishing campaigns.
  2. Social Engineering – Using convincing email or chat messages, the attacker convinces the user to approve a "passkey registration" request, frequently disguising it as a routine security update.
  3. Enrollment Injection – The attacker registers a new passkey under the victim’s user object via the Entra ID admin console or a compromised privileged account.
  4. Exploitation – The newly created passkey is used to authenticate silently in future sessions, circumventing detection mechanisms that rely on password or OTP activity.

Practical Mitigation Checklist

IT administrators and business leaders can significantly reduce the risk of this attack vector by implementing the following controls. Execute each step in the order presented to ensure a layered defense.

  • Audit and Restrict Passkey Enrollment Permissions: Only allow members of a designated security team to initiate new passkey registrations. Review the default “User can add security information” setting in Entra ID and disable it for standard users.
  • Enforce Multi‑Factor Authentication for Sensitive Actions: Require MFA for any request that modifies authentication methods, especially when performed from unmanaged devices or external IP ranges.
  • Enable Conditional Access Policies: Create policies that block authentication flows originating from locations or devices not marked as compliant.
  • Deploy Continuous Monitoring and Alerts: Use Microsoft Defender for Cloud Apps to flag unusual passkey enrollment events, especially those accompanied by anomalous sign‑in patterns.
  • Conduct Regular Identity Hygiene Reviews: Periodically export the list of registered authenticators for each user and verify that only authorized credentials exist.
  • Educate End Users: Provide targeted training that explains the risks of approving unknown security prompts and encourages verification of the source before granting access.

Conclusion

The emergence of fake Entra ID passkey enrollments illustrates how attackers continuously adapt to newer security paradigms. While passkeys themselves represent a strong technical improvement over passwords, their enrollment process must be rigorously controlled and monitored. By adopting strict permission models, enforcing MFA for configuration changes, and fostering a culture of vigilance among end users, organizations can stay ahead of these evolving threats. Ultimately, partnering with seasoned IT management professionals ensures that identity safeguards are not only robust but also proactively maintained, delivering both security resilience and operational confidence.

Need Expert IT Advice?

Talk to TH247 today about how we can help your small business with professional IT solutions, custom support, and managed infrastructure.