Microsoft Makes Passkeys the Default in Entra ID as SMS and Voice MFA Near Retirement
Microsoft will make passkeys the default authentication experience in Microsoft Entra ID starting September 1, 2026, as it prepares to retire its native SMS and voice authentication delivery.
Users currently enabled for SMS or voice will automatically become eligible for passkeys. After completing multifactor authentication, they will see a prompt encouraging them to register a passkey.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The change does not immediately remove passwords from every Entra ID account. Microsoftโs passkeys announcement focuses on replacing phishable SMS and voice methods with passkeys or another phishing-resistant option.
Passkey registration prompts begin September 1
Users enabled for SMS or voice through the Entra Authentication Methods Policy or legacy MFA settings will automatically be enabled for passkeys. Microsoft will also change the tenantโs registration campaign to a Microsoft-managed state for those users.
When an affected user next signs in and completes MFA, Entra ID will prompt that person to register a passkey. The September prompt will not initially block access.
Microsoftโs SMS and voice retirement documentation states that users will have unlimited opportunities to snooze the registration prompt during the transition period.
| Date | Entra ID change | Required action |
|---|---|---|
| August 1, 2026 | Temporary opt-out support becomes available | Use it only while completing another migration plan |
| September 1, 2026 | SMS and voice users become enabled for passkeys and receive registration prompts | Prepare policies and notify affected users |
| September 18, 2026 | Microsoft publishes telecom providers, guidance, pricing, and commercial terms | Evaluate providers if SMS or voice must remain |
| October 30, 2026 | Administrators can configure a supported telecom provider | Test the provider with a pilot group |
| February 1, 2027 | Microsoft-provided SMS and voice delivery ends | Complete migration or configure a customer-managed provider |
| After February 1, 2027 | Remaining SMS or voice-only users receive a blocking passkey prompt | Register a passkey before continuing to sign in |
Administrators can temporarily delay the September changes
Microsoft plans to provide an API-based temporary opt-out starting August 1. This option will let an organization delay automatic passkey enablement and registration campaign changes while it completes transition work.
For example, an administrator may need more time to deploy another phishing-resistant method or arrange a customer-managed telecom provider. The temporary option does not extend Microsoftโs native SMS and voice service beyond February 1.
After the deadline, tenants without a configured telecom provider will lose Microsoft-provided SMS and voice delivery. Users whose only available MFA method is SMS or voice will receive a blocking prompt and must register a passkey before continuing.
Microsoft will stop providing SMS and voice codes
Microsoft currently handles the telecom delivery behind native SMS and voice authentication in Entra ID. That service will end on February 1, 2027.
Organizations that still need these methods for regulatory, operational, technical, or business reasons can contract with a supported telecom provider through the Microsoft Security Store.
Microsoft will publish the provider list and commercial details on September 18. Administrators will be able to select and configure a provider beginning October 30, with costs varying by carrier, region, message volume, and geographic distribution.
- Microsoft will no longer pay for or deliver native SMS and voice authentication.
- Organizations retaining these methods must contract with a telecom provider.
- Customers will pay the providerโs associated telecom charges.
- SMS and voice can remain enabled according to the organizationโs policies.
- Moving from Microsoft-provided SMS or voice to passkeys adds no passkey licensing cost.
The retirement also applies to SMS and voice use in Entra self-service password reset. Organizations should therefore include password recovery workflows in their transition planning.
Passkeys resist phishing and SIM-swapping attacks
Passkeys use public-key cryptography instead of a password or authentication code shared with a server. The private key stays with the userโs device or credential provider, while the service stores a corresponding public key.
This design binds authentication to the legitimate website. A fake sign-in page cannot simply capture and replay a passkey in the way an attacker may reuse a password or one-time code.
The Microsoft Entra security update says SMS and voice channels remain vulnerable to phishing, interception, SIM swapping, social engineering, and MFA bypass techniques.
| Authentication method | Uses a shared secret or code | Phishing resistance | Main concern |
|---|---|---|---|
| Password | Yes | No | Can be stolen, reused, or entered into a fake site |
| SMS code | Yes | No | Can be phished, intercepted, or redirected through SIM swapping |
| Voice code | Yes | No | Can be socially engineered or intercepted |
| Passkey | No | Yes | Requires planning for devices, recovery, and credential providers |
AI is increasing the effectiveness of phishing
Microsoft linked the authentication change to the growing speed and precision of AI-assisted attacks. Automated tools can help attackers create localized messages, tailor lures to specific roles, and run campaigns at greater scale.
The Microsoft Digital Defense Report 2025 says AI-assisted phishing messages achieved click-through rates of up to 54%, compared with about 12% for traditional attempts.
Once attackers obtain a valid identity, AI tools can also accelerate discovery, privilege escalation, and lateral movement. Removing phishable authentication methods reduces the value of convincing users to surrender passwords and MFA codes.
The reported percentages describe observed campaigns rather than a guaranteed success rate for every AI-generated phishing email. Industry, target selection, security training, and the quality of the lure can all affect results.
Entra ID supports synced and device-bound passkeys
Microsoft Entra ID supports both synced and device-bound passkeys. Organizations can choose different types based on the userโs role, device access, security requirements, and recovery needs.
Synced passkeys can reside in providers such as Apple iCloud Keychain and Google Password Manager. The provider encrypts and synchronizes the credential so users can access it across eligible devices.
Device-bound passkeys remain stored on a particular device or physical authenticator. Examples include passkeys in Microsoft Authenticator, Entra passkeys on Windows, and FIDO2 hardware security keys.
| Passkey type | Storage | Typical use | Trade-off |
|---|---|---|---|
| Synced passkey | Cloud credential manager | General workforce users with multiple devices | Does not support device attestation |
| Authenticator passkey | Microsoft Authenticator on a device | Users who need a device-bound mobile credential | Requires access to the registered device |
| Entra passkey on Windows | Local Windows Hello container | Windows users who need a local Entra credential | Must be registered separately on each device |
| FIDO2 security key | Physical hardware key | Administrators and highly privileged users | Requires purchasing, distributing, and recovering hardware |
Passkeys are available in every Entra ID edition
Microsoft says passkeys are available in all Entra ID editions, including Entra ID Free, without an additional passkey license.
The companyโs passkey deployment instructions let administrators create profiles, choose synced or device-bound credentials, configure attestation, apply restrictions, and target specific user groups.
Administrators can also use Conditional Access authentication strength policies to require passkeys for sensitive resources. Simply enabling passkey registration does not automatically require every user to use one for every sign-in.
- Enable Passkey (FIDO2) in the Authentication Methods Policy.
- Create profiles for synced or device-bound passkeys.
- Assign profiles to pilot groups before wider deployment.
- Require device-bound methods for administrators where appropriate.
- Test account recovery and lost-device procedures.
- Use Conditional Access for sensitive applications and privileged roles.
What Entra ID administrators should do now
Administrators should identify users who remain enabled for SMS or voice in both the modern Authentication Methods Policy and legacy MFA settings. They should also determine which users rely on these methods in practice.
Organizations can launch a passkey registration campaign before September 1. Users will receive a setup prompt after completing MFA, allowing IT teams to spread enrollment over several weeks instead of waiting for the automatic rollout.
The Microsoft transition guidance recommends clear communications that explain when prompts will appear, which passkey type users should select, and how to recover access after losing a device.
- Audit users and groups enabled for SMS or voice.
- Choose passkey profiles for standard and privileged users.
- Test passkeys across the organizationโs supported devices and browsers.
- Run a registration campaign with a controlled pilot group.
- Document recovery procedures before broad deployment.
- Evaluate telecom providers only for users with a justified need.
- Complete the migration before February 1, 2027.
The timeline applies only to the Entra public cloud
Microsoftโs announced dates apply to Microsoft Entra ID public cloud environments. Other cloud environments will follow a separate schedule.
This means government and specialized cloud customers should wait for timelines specific to their environments rather than assuming the public cloud dates apply unchanged.
Organizations should still begin evaluating phishing-resistant authentication. The Entra passkey configuration guide provides the current requirements and policy controls for supported deployments.
Microsoftโs shift makes passkeys the recommended default without immediately erasing every password. The immediate goal is to move users away from SMS and voice before Microsoft ends its native delivery service in February 2027.
The Digital Defense Report provides the broader threat context behind that decision, while Entra administrators must now translate the policy into a practical migration plan for their own users.
FAQ
No. Microsoft is making passkeys the default experience for users enabled for SMS or voice. It is not removing every password from every Entra ID account on that date.
Microsoft-provided SMS and voice delivery in Entra ID will end on February 1, 2027. Organizations can retain these methods by configuring a supported customer-managed telecom provider.
After February 1, 2027, users whose only available MFA method is Microsoft-provided SMS or voice will receive a blocking passkey registration prompt unless their organization has configured a customer-managed telecom provider.
Entra ID supports synced passkeys stored in credential managers and device-bound passkeys stored in Microsoft Authenticator, Windows Hello containers, or FIDO2 security keys.
Microsoft will provide a temporary opt-out for the September rollout while organizations complete transition work. There will be no opt-out from the February 1, 2027 enforcement for tenants still relying on Microsoft-provided SMS or voice.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages