AuthPoint Passkeys for OIDC: Open Beta Now Available

Modern identity security relies on standardized, interoperable protocols. To help you centralize control and eliminate authentication silos, we are excited to announce that AuthPoint now supports OpenID Connect (OIDC) as a new resource type, currently in Beta.

By acting as an OpenID Provider (OP), AuthPoint allows you to extend MFA and robust conditional access policies to a wider range of modern SaaS platforms and custom-built applications.

Why OIDC Matters for Your Security Posture

While SAML has long been the enterprise standard, OIDC (built on top of OAuth 2.0) is the preferred choice for modern web and mobile applications due to its lightweight JSON-based structures and better support for API-driven environments.

Joining the beta program is quick and easy. To get started, simply visit our beta management site where you will find instructions to download the new agent and begin testing.

Join the beta and share your suggestions and feedback! 
The AuthPoint beta team. 

Starting January 15, 2026, a new version of AuthPoint will be available introducing Unify Identity Management with Microsoft Entra ID Synchronization (DDS). This release advances our identity strategy in WatchGuard Cloud by using Directories and Domain Services (DDS) as the identity hub—beginning with Microsoft Entra ID synchronization—so partners can manage users and groups more consistently across services.

Why we’re doing this

Identity is the control plane for modern security. But when user and group management is fragmented across tools, it creates friction for IT teams and increases the risk of misaligned access decisions. With this release, WatchGuard is moving forward with DDS as the centralized identity foundation in WatchGuard Cloud, starting with Entra ID synchronization.

What’s changing

With this update, Entra ID users and groups are managed through WatchGuard Cloud DDS, allowing identity data to be used more consistently across WatchGuard Cloud services. Entra ID remains the authoritative source of truth; DDS reflects and organizes that identity data so services can stay aligned as Entra ID changes over time (user adds/removes, group updates).

Who is impacted

This update is especially relevant for partners who:

• synchronize identities from Microsoft Entra ID for AuthPoint

What partners need to do

Impacted tenants should complete the required configuration updates to move to the DDS-based approach and validate expected results

Two implementation paths (pick the one that matches your tenant)

• New configuration: You’re setting up Entra ID synchronization via DDS for the first time in a tenant.
• Convert existing configuration: You have an existing Entra ID-related configuration and need to transition to the DDS-based approach.

Validation checklist (recommended)

After completing the updates, validate that:

• the correct users and groups are present
• group memberships match expectations
• AuthPoint authentication flows and any identity-dependent behavior work as intended

Timeline and planning guidance

There is no required deadline for the rollout at this time. If you leave your current configuration as-is, it should continue to work until you are ready to migrate. That said, we strongly recommend planning the migration as soon as practical so you can benefit from the DDS-based synchronization improvements and ensure your configuration stays aligned with the latest supported approach. If a hard migration date is introduced in the future, WatchGuard will share a follow-up announcement in advance.

For MSPs, we recommend a phased rollout: start with a low-risk tenant, validate outcomes, then expand to additional tenants.

Official guidance and resources

Use the resources below to plan and execute the update:

• Step-by-step guide (start here)
• Training video
• WatchGuard Cloud help topics:
  • Add an Authentication Domain to WatchGuard Cloud
  • Configure a directory sync
  • Set up an external identity with a group sync
• AuthPoint release notes

Need help?

If you have questions or want help planning the update—especially across multiple tenants—contact your WatchGuard Account Manager or trusted Sales Representative, or use the Support resources above.

In early 2026, we will introduce an update that enhances the synchronization of Microsoft Entra ID users and groups through WatchGuard Cloud Directories and Domain Services (DDS), enabling more consistent identity use across AuthPoint and FireCloud.

Why This Matters

• Single source of truth: Avoid identity silos—Entra ID becomes the definitive authority for user/group data across your security stack.
• Improved operational efficiency: Reduce manual overhead and security risks through automated synchronization.
• Stronger security posture: Enforce MFA and Zero Trust policies consistently across AuthPoint and FireCloud.

Benefits for AuthPoint & FireCloud

• Zero Trust for FireCloud: Use synchronized Entra ID users and groups to define granular, consistent access policies, for both MFA or non-MFA users.

What’s changing

• Centralized identity hub: Entra ID users and groups are managed through DDS for use across WatchGuard Cloud services (including AuthPoint and FireCloud).
• Lifecycle consistency: Entra ID updates (adds/removes/group changes) are reflected through DDS to help keep identities aligned across services.
• This release introduces changes in how Entra ID users and groups are managed across WatchGuard Cloud services.

What you need to do now

• No action is required at this time.
• We’ll share step-by-step guidance, migration recommendations, and supporting resources closer to release.

Continue exploring the beta and review enablement details here. Additional updates, documentation, migration guidance, and support resources will be available closer to the early 2026 release.