Why does my passkey sign-in say "something went wrong"?

The most common cause is that your credential manager (Microsoft Password Manager, Google Password Manager, iCloud Keychain) already has a passkey for this account and is offering the wrong one. Open security info, delete passkeys you no longer use, then retry sign-in.

Why does cross-device passkey sign-in fail?

Cross-device passkey sign-in (scanning a QR code on a laptop with your phone) needs Bluetooth on both devices, both connected to the internet, and the devices physically near each other. If any of those is missing, the QR exchange silently times out.

I registered a passkey on Android but cannot sign in — what's wrong?

Android Work and Personal profiles store passkeys separately. If you registered the passkey from your Personal profile (e.g., personal Chrome, personal Authenticator) but try to sign in from your Work profile, Android will not surface the credential. Recreate the passkey from inside the Work profile to fix it.

My synced passkeys are not appearing in the picker — why?

Synced passkeys require an active screen lock (PIN, fingerprint, or facial recognition) on the device. If you disable the screen lock the OS treats every synced passkey as unsafe and hides them. Re-enable the screen lock and the passkeys reappear.

← Back to home

Guide · Troubleshooting

Passkey troubleshooting: why Microsoft Entra sign-in fails, and how to fix it

Most Microsoft Entra ID passkey failures map to one of seven specific causes — credential managers fighting over the same account, Bluetooth off during cross-device handoff, Android Work-profile mismatches, missing screen locks, expired sessions, OS versions below the minimum, or registration that quietly landed in the wrong vault. Here is how to recognise each one and the fix that actually resolves it.

"Something went wrong" — the catch-all error

The Microsoft sign-in flow shows a generic "Something went wrong" page when the passkey exchange fails for almost any reason — not just one. The single most common cause is that your credential manager (Microsoft Password Manager, Google Password Manager, iCloud Keychain, Samsung Pass, 1Password) already holds an old passkey for this account and is offering the wrong one. The browser asks Entra to verify it, Entra rejects it, and the prompt fails generically.

Fix: open aka.ms/mysecurityinfo, scroll to the Passkey sign-in methods, and delete any entries you no longer use. Then retry sign-in and carefully pick the right credential when the OS picker appears. On Android, if Samsung Pass appears at the top of the picker but your active credential lives in Microsoft Authenticator, tap "Use a different passkey" first.

Cross-device handoff fails silently

On a Mac or Windows PC, signing in with a passkey stored on your phone uses a cross-device authentication QR code: the laptop renders the QR, you scan with your phone, and the credential exchanges over Bluetooth. If the QR scan completes but nothing happens — or the laptop just times out — three things to check:

Bluetooth is on both ends. The browser on the laptop and the OS on the phone both need Bluetooth enabled. Most laptops have it on by default; some corporate Windows builds turn it off in Group Policy.
Both devices are near each other. The Bluetooth handshake is line-of-sight and short-range. If your phone is in another room you may see no error, just a stalled prompt.
Both devices have internet. Bluetooth carries the proof-of-presence signal but the credential itself flows over the network. Phone on cellular is fine; phone on captive WiFi without auth is not.

Android Work profile cannot see Personal-profile passkeys

Android keeps Work and Personal profile data separate, including passkeys. If a user registered a passkey using their Personal profile's Chrome (because the camera or Authenticator they used was on the Personal side), the credential is stored in the Personal profile's credential manager and the Work profile cannot see it. The user sees "We couldn't sign you in" or no passkey suggestion at all.

Fix: open the Work profile's Authenticator (the one that signed in with the work email), navigate to aka.ms/mysecurityinfo from the Work profile's browser, and re-register the passkey from there. Delete the Personal-profile registration from Entra to keep the security info clean.

Synced passkeys are missing without a screen lock

iCloud Keychain, Google Password Manager, and Samsung Pass all suppress passkey suggestions on devices with no screen lock. The reasoning is that a synced passkey without an unlock barrier is the equivalent of a password file lying open on a public computer — the OS refuses to make it usable until the device is reasonably protected.

Fix: set a PIN, fingerprint, or facial-recognition lock on the device and the synced passkeys reappear in the picker on next attempt. On managed Windows machines, this is usually already enforced by Conditional Access; the gap shows up on BYOD or kiosk-style configurations.

The session expired between registration and first sign-in

Some users register a passkey successfully, close their laptop, and try to sign in days later — only to be told to verify with another method. Entra's session token for the registration step is short-lived. If the registration browser session expired before the credential was used for sign-in, the credential is still valid but the sign-in flow may demand re-validation through MFA first.

Fix: sign in once with the existing MFA method (push, OTP, security questions), then retry the passkey on the next sign-in. Most users only need to do this once per registration.

iOS or Android version below the minimum

Microsoft Authenticator passkey support requires iOS 17.4 or later and Android 14 or later. On older OSes the Settings toggle for Authenticator-as-passkey-provider does not exist, and the registration flow stalls at the "Allow Authenticator to autofill" step. The error is generic; the cause is operating-system version.

Fix: update the OS. If the device is on the most recent supported version of an older line and cannot be updated (some enterprise-locked Android builds), fall back to a hardware FIDO2 key for that user instead of an Authenticator passkey.

Registration silently landed in the wrong credential vault

On Samsung One UI, the OS credential picker can default to Samsung Pass even when the end user thought they were registering with Microsoft Authenticator. The registration succeeds, but the passkey lives in Samsung Pass — and if the tenant requires attested / device-bound credentials, that credential is not accepted at sign-in.

Fix: on the Samsung phone, go to Settings → General management → Passwords, passkeys and autofill → Passkeys → Choose default passkey service → Microsoft Authenticator. Delete the misplaced registration from Entra security info. Re-register from inside Authenticator. Full detail is in the Samsung Pass and Entra ID passkeys guide.

The helpdesk runbook

For IT teams running a rollout, the script that resolves ~80% of inbound passkey tickets in the first 48 hours is:

"Which device are you on, and what OS version?" — captures the OS-floor case.
"Did you set up the passkey just now, or earlier?" — captures the expired-session case.
"Does the OS picker show 'Microsoft Authenticator' as the default passkey service?" — captures the Samsung-Pass case.
"If you are on Android, are you in your Work profile right now?" — captures the profile-mismatch case.
"Can you delete any passkeys you no longer use, then try once more?" — captures the stale-credential case.

How SetupPasskeys reduces the volume in the first place

Most of the failures above happen because users follow generic instructions on a device the instructions were not written for. The SetupPasskeys branded guide is device-aware: it detects the visitor's exact phone or laptop and walks them through the right OS picker, the right Settings toggle, and the right credential vault. Optional AI screenshot troubleshooting catches the long tail of edge cases the standard flow does not anticipate — the user uploads a screenshot of the error and gets a specific next step.

Cut passkey helpdesk tickets at the source

Branded, device-aware passkey registration for your whole org — one URL, every device handled. Type your company domain to see the demo for your tenant.

Try the branded demo → Talk to us

Last reviewed 25 April 2026. See also the Entra ID passkey rollout guide for policy / Conditional Access detail and the Microsoft Authenticator setup guide for the registration steps that produce the credentials this guide troubleshoots.