We want to roll out FIDO2 or passkeys, how to start small?

Don't start with everyone at once. Start with admins and the people with access to banking, accounting and source code. Then a voluntary rollout for the rest. No push and it never happens, too much push and the helpdesk drowns.

Try this first

1. 1Enable FIDO2 as a method in Entra, Protection, Authentication methods, FIDO2 security key. Set 'Allow self-service set up' to Yes and decide whether you want AAGUID restrictions (YubiKey only, Feitian only, etc).
2. 2Pilot with five to ten people: every Global Admin, the finance lead, a power user, yourself. Give each at least two keys (one for the bag, one for the desk).
3. 3Build a Conditional Access policy with Authentication Strengths 'Phishing resistant MFA' for admin roles. From then on, admins cannot sign in with Authenticator push anymore, only FIDO2 or Windows Hello for Business.
4. 4For the wider org: enable passkey in Authenticator (the free option without hardware keys) and let users register themselves via aka.ms/mysecurityinfo.
5. 5Document the break-glass path: if the FIDO2 keys are lost, how does someone get back in? A second backup key in a safe on-site is more practical than a recovery procedure nobody has tested.

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.