Why does Samsung Pass intercept the Microsoft passkey prompt on Galaxy phones?

Samsung One UI promotes Samsung Pass to the top of the OS credential picker and on some versions auto-selects it. Without an explicit Choose default passkey service change in Settings, the passkey lands in Samsung Pass instead of Microsoft Authenticator, and the user cannot subsequently sign in with that credential against Entra ID.

How do I make Microsoft Authenticator the default passkey service on Samsung?

Open Settings → General management → Passwords, passkeys and autofill → Passkeys, then tap Choose default passkey service and select Microsoft Authenticator. The Authenticator app must be installed and signed in to your work account first.

Does Samsung Pass work with Microsoft Entra ID passkeys?

Yes — Samsung Pass passkeys are FIDO2 credentials and Entra ID accepts them. They are synced across the user's Samsung account. Tenants that require attested or device-bound credentials should set policy to Microsoft Authenticator only and follow Path A in this guide.

← Back to home

Guide · Samsung

Samsung Pass and Entra ID passkeys: the conflict, and the fix

If your Microsoft Entra ID passkey rollout is "working on iPhone and Pixel but not on Galaxy", this is almost certainly Samsung Pass intercepting the credential prompt. Here is what is actually happening, and the exact steps end users and IT teams need to register a passkey on a Samsung One UI device.

What Samsung Pass is, and why it intercepts the flow

Samsung Pass is the credential vault built into One UI — Samsung's Android skin. It is the Galaxy equivalent of iCloud Keychain or Google Password Manager: it stores passwords, autofills login forms, and (since One UI 6.1) registers and uses passkeys.

On a stock Pixel running Google's Android, when an app or web page calls the passkey API, the OS shows a credential picker that asks the user where to store the new credential. The default is Google Password Manager; the user can pick any installed credential provider. On a Galaxy phone running One UI, Samsung promotes Samsung Pass to the top of that picker, and on some One UI versions auto-selects it unless the user has explicitly added another provider as the preferred default.

The user thinks they are following the Microsoft instructions. Their phone is registering the passkey into Samsung Pass instead. From the user's perspective, "it worked" — they got a confirmation. From Microsoft's perspective, the registration landed against a credential the Microsoft app cannot subsequently read, and the user cannot sign in with it the next day. This is the most common cause of "passkey registration tickets, but only from Galaxy users".

The two clean paths on Samsung One UI

You have two options for an Entra ID passkey on Samsung. Pick one and standardise.

Path A — Authenticator app (recommended for IT-managed rollouts)

Best when you want the passkey to live in Microsoft Authenticator alongside the device-bound MFA credential. The user can sign in to Microsoft 365 and other Entra apps without leaving the Microsoft credential surface.

Install Microsoft Authenticator from the Galaxy Store or Play Store. Sign in with the work account at least once so the device is registered.
On the Galaxy phone, go to Settings → General management → Passwords, passkeys and autofill → Passkeys. Tap Choose default passkey service and select Microsoft Authenticator.
Open aka.ms/mysecurityinfo in the phone's browser. Sign in. Tap Add sign-in method → Passkey. When the OS credential picker appears, Authenticator should be pre-selected.
Confirm in the Authenticator app with the device biometric. Done — the passkey now lives in Authenticator on this Galaxy device.

Path B — Samsung Pass (works, but check tenant policy first)

Acceptable for general-staff rollouts where convenience trumps the small operational upside of having every passkey in one Microsoft surface. Not acceptable in tenants that require attested or device-bound credentials — Samsung Pass passkeys are synced.

On the Galaxy phone, go to Settings → Security and privacy → Samsung Pass. Set up Samsung Pass with the device biometric if you have not already.
Set Settings → General management → Passwords, passkeys and autofill to Samsung Pass as the default.
Open aka.ms/mysecurityinfo. Sign in. Tap Add sign-in method → Passkey. The OS picker shows Samsung Pass; confirm.
The passkey now lives in Samsung Pass and syncs to other Galaxy devices the user has signed into with the same Samsung account.

The five things that go wrong on Galaxy phones

"Choose default passkey service" was never set. One UI defaults to Samsung Pass in many versions. Without the explicit choice, registration may land there even when the user thought they picked Authenticator.
Samsung Pass was set up for one user but the phone is now used by another. Galaxy phones in IT inventory sometimes carry the previous owner's Samsung Pass. The new user is prompted to authenticate, fails, and aborts the registration without realising the prompt is from Samsung Pass, not Microsoft.
Older One UI version. Passkey registration is reliable on One UI 6.1 and later (Android 14 base). One UI 5.x and earlier have known regressions with the credential picker. Upgrade the device or fall back to a different vendor.
Knox-managed devices with restricted services. If the Galaxy phone is enrolled in Samsung Knox / Knox Manage with a profile that disables Samsung Pass or the credential picker, registration silently fails. Coordinate with the MDM owner before the rollout.
Browser choice. On Galaxy, the Samsung Internet browser sometimes handles the WebAuthn handoff differently from Chrome. If a user reports a stalled registration, ask them to retry in Chrome or Edge before escalating.

Helpdesk script for "I'm on Samsung and it didn't work"

"Which One UI version is your phone on?" If 5.x or older, schedule an OS update before continuing.
"Open Settings, search for 'passkey', and tell me what's listed under default passkey service." Confirm Authenticator (or Samsung Pass, per your standard).
"Open Authenticator and tap your work account — does it say 'You're signed in' at the top?" If not, sign in first.
"In Chrome, open aka.ms/mysecurityinfo. Tap Add sign-in method, Passkey. What does the picker show?" If the picker shows the wrong default, walk them through the Settings change.
"Confirm with your fingerprint when Authenticator pops up." Successful registration should complete within seconds.

How SetupPasskeys handles Samsung

The SetupPasskeys branded guide detects Samsung One UI by user agent and device-capability hints, and walks the user through Path A (Authenticator) by default — including the "Choose default passkey service" detour that the standard Microsoft documentation does not mention. If the tenant has opted to allow Samsung Pass, the guide branches to Path B with appropriate messaging.

Helpdesk staff get a single URL to send Galaxy users to. End users get device-specific screenshots and exact tap targets — not a "depending on your device" paragraph that leaves them guessing.

See the Samsung walkthrough

Type your company domain and switch to a Samsung emulator on the demo page to see the exact screens your Galaxy users would walk through.

Try the branded demo → Talk to us

Last reviewed 25 April 2026. Samsung One UI behaviour changes between major releases; verify your test device's behaviour against the current One UI version before finalising rollout copy. See the Entra ID passkey rollout guide for the broader rollout context.