Microsoft Makes Passkeys the Default in Entra ID as SMS and Voice MFA Near Retirement


Microsoft will make passkeys the default authentication experience in Microsoft Entra ID starting September 1, 2026, as it prepares to retire its native SMS and voice authentication delivery.

Users currently enabled for SMS or voice will automatically become eligible for passkeys. After completing multifactor authentication, they will see a prompt encouraging them to register a passkey.

The change does not immediately remove passwords from every Entra ID account. Microsoftโ€™s passkeys announcement focuses on replacing phishable SMS and voice methods with passkeys or another phishing-resistant option.

Passkey registration prompts begin September 1

Users enabled for SMS or voice through the Entra Authentication Methods Policy or legacy MFA settings will automatically be enabled for passkeys. Microsoft will also change the tenantโ€™s registration campaign to a Microsoft-managed state for those users.

When an affected user next signs in and completes MFA, Entra ID will prompt that person to register a passkey. The September prompt will not initially block access.

Microsoftโ€™s SMS and voice retirement documentation states that users will have unlimited opportunities to snooze the registration prompt during the transition period.

DateEntra ID changeRequired action
August 1, 2026Temporary opt-out support becomes availableUse it only while completing another migration plan
September 1, 2026SMS and voice users become enabled for passkeys and receive registration promptsPrepare policies and notify affected users
September 18, 2026Microsoft publishes telecom providers, guidance, pricing, and commercial termsEvaluate providers if SMS or voice must remain
October 30, 2026Administrators can configure a supported telecom providerTest the provider with a pilot group
February 1, 2027Microsoft-provided SMS and voice delivery endsComplete migration or configure a customer-managed provider
After February 1, 2027Remaining SMS or voice-only users receive a blocking passkey promptRegister a passkey before continuing to sign in

Administrators can temporarily delay the September changes

Microsoft plans to provide an API-based temporary opt-out starting August 1. This option will let an organization delay automatic passkey enablement and registration campaign changes while it completes transition work.

For example, an administrator may need more time to deploy another phishing-resistant method or arrange a customer-managed telecom provider. The temporary option does not extend Microsoftโ€™s native SMS and voice service beyond February 1.

After the deadline, tenants without a configured telecom provider will lose Microsoft-provided SMS and voice delivery. Users whose only available MFA method is SMS or voice will receive a blocking prompt and must register a passkey before continuing.

Microsoft will stop providing SMS and voice codes

Microsoft currently handles the telecom delivery behind native SMS and voice authentication in Entra ID. That service will end on February 1, 2027.

Organizations that still need these methods for regulatory, operational, technical, or business reasons can contract with a supported telecom provider through the Microsoft Security Store.

Microsoft will publish the provider list and commercial details on September 18. Administrators will be able to select and configure a provider beginning October 30, with costs varying by carrier, region, message volume, and geographic distribution.

  • Microsoft will no longer pay for or deliver native SMS and voice authentication.
  • Organizations retaining these methods must contract with a telecom provider.
  • Customers will pay the providerโ€™s associated telecom charges.
  • SMS and voice can remain enabled according to the organizationโ€™s policies.
  • Moving from Microsoft-provided SMS or voice to passkeys adds no passkey licensing cost.

The retirement also applies to SMS and voice use in Entra self-service password reset. Organizations should therefore include password recovery workflows in their transition planning.

Passkeys resist phishing and SIM-swapping attacks

Passkeys use public-key cryptography instead of a password or authentication code shared with a server. The private key stays with the userโ€™s device or credential provider, while the service stores a corresponding public key.

This design binds authentication to the legitimate website. A fake sign-in page cannot simply capture and replay a passkey in the way an attacker may reuse a password or one-time code.

The Microsoft Entra security update says SMS and voice channels remain vulnerable to phishing, interception, SIM swapping, social engineering, and MFA bypass techniques.

Authentication methodUses a shared secret or codePhishing resistanceMain concern
PasswordYesNoCan be stolen, reused, or entered into a fake site
SMS codeYesNoCan be phished, intercepted, or redirected through SIM swapping
Voice codeYesNoCan be socially engineered or intercepted
PasskeyNoYesRequires planning for devices, recovery, and credential providers

AI is increasing the effectiveness of phishing

Microsoft linked the authentication change to the growing speed and precision of AI-assisted attacks. Automated tools can help attackers create localized messages, tailor lures to specific roles, and run campaigns at greater scale.

The Microsoft Digital Defense Report 2025 says AI-assisted phishing messages achieved click-through rates of up to 54%, compared with about 12% for traditional attempts.

Once attackers obtain a valid identity, AI tools can also accelerate discovery, privilege escalation, and lateral movement. Removing phishable authentication methods reduces the value of convincing users to surrender passwords and MFA codes.

The reported percentages describe observed campaigns rather than a guaranteed success rate for every AI-generated phishing email. Industry, target selection, security training, and the quality of the lure can all affect results.

Entra ID supports synced and device-bound passkeys

Microsoft Entra ID supports both synced and device-bound passkeys. Organizations can choose different types based on the userโ€™s role, device access, security requirements, and recovery needs.

Synced passkeys can reside in providers such as Apple iCloud Keychain and Google Password Manager. The provider encrypts and synchronizes the credential so users can access it across eligible devices.

Device-bound passkeys remain stored on a particular device or physical authenticator. Examples include passkeys in Microsoft Authenticator, Entra passkeys on Windows, and FIDO2 hardware security keys.

Passkey typeStorageTypical useTrade-off
Synced passkeyCloud credential managerGeneral workforce users with multiple devicesDoes not support device attestation
Authenticator passkeyMicrosoft Authenticator on a deviceUsers who need a device-bound mobile credentialRequires access to the registered device
Entra passkey on WindowsLocal Windows Hello containerWindows users who need a local Entra credentialMust be registered separately on each device
FIDO2 security keyPhysical hardware keyAdministrators and highly privileged usersRequires purchasing, distributing, and recovering hardware

Passkeys are available in every Entra ID edition

Microsoft says passkeys are available in all Entra ID editions, including Entra ID Free, without an additional passkey license.

The companyโ€™s passkey deployment instructions let administrators create profiles, choose synced or device-bound credentials, configure attestation, apply restrictions, and target specific user groups.

Administrators can also use Conditional Access authentication strength policies to require passkeys for sensitive resources. Simply enabling passkey registration does not automatically require every user to use one for every sign-in.

  • Enable Passkey (FIDO2) in the Authentication Methods Policy.
  • Create profiles for synced or device-bound passkeys.
  • Assign profiles to pilot groups before wider deployment.
  • Require device-bound methods for administrators where appropriate.
  • Test account recovery and lost-device procedures.
  • Use Conditional Access for sensitive applications and privileged roles.

What Entra ID administrators should do now

Administrators should identify users who remain enabled for SMS or voice in both the modern Authentication Methods Policy and legacy MFA settings. They should also determine which users rely on these methods in practice.

Organizations can launch a passkey registration campaign before September 1. Users will receive a setup prompt after completing MFA, allowing IT teams to spread enrollment over several weeks instead of waiting for the automatic rollout.

The Microsoft transition guidance recommends clear communications that explain when prompts will appear, which passkey type users should select, and how to recover access after losing a device.

  • Audit users and groups enabled for SMS or voice.
  • Choose passkey profiles for standard and privileged users.
  • Test passkeys across the organizationโ€™s supported devices and browsers.
  • Run a registration campaign with a controlled pilot group.
  • Document recovery procedures before broad deployment.
  • Evaluate telecom providers only for users with a justified need.
  • Complete the migration before February 1, 2027.

The timeline applies only to the Entra public cloud

Microsoftโ€™s announced dates apply to Microsoft Entra ID public cloud environments. Other cloud environments will follow a separate schedule.

This means government and specialized cloud customers should wait for timelines specific to their environments rather than assuming the public cloud dates apply unchanged.

Organizations should still begin evaluating phishing-resistant authentication. The Entra passkey configuration guide provides the current requirements and policy controls for supported deployments.

Microsoftโ€™s shift makes passkeys the recommended default without immediately erasing every password. The immediate goal is to move users away from SMS and voice before Microsoft ends its native delivery service in February 2027.

The Digital Defense Report provides the broader threat context behind that decision, while Entra administrators must now translate the policy into a practical migration plan for their own users.

FAQ

Is Microsoft removing passwords from Entra ID on September 1, 2026?

No. Microsoft is making passkeys the default experience for users enabled for SMS or voice. It is not removing every password from every Entra ID account on that date.

When will Microsoft retire SMS and voice authentication?

Microsoft-provided SMS and voice delivery in Entra ID will end on February 1, 2027. Organizations can retain these methods by configuring a supported customer-managed telecom provider.

Will passkey registration become mandatory?

After February 1, 2027, users whose only available MFA method is Microsoft-provided SMS or voice will receive a blocking passkey registration prompt unless their organization has configured a customer-managed telecom provider.

What passkey types does Entra ID support?

Entra ID supports synced passkeys stored in credential managers and device-bound passkeys stored in Microsoft Authenticator, Windows Hello containers, or FIDO2 security keys.

Can organizations opt out of the passkey rollout?

Microsoft will provide a temporary opt-out for the September rollout while organizations complete transition work. There will be no opt-out from the February 1, 2027 enforcement for tenants still relying on Microsoft-provided SMS or voice.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages