MC1411574: Microsoft Entra Applies System-Preferred Authentication to First-Factor Sign-In in Managed State

MC1411574: Microsoft Entra Applies System-Preferred Authentication to First-Factor Sign-In in Managed State

Microsoft Entra: System-preferred authentication now applies to first-factor authentication
Message ID: MC1411574

[What and Why]

As announced in the What’s New (June Edition), we have been rolling out first-factor system-preferred authentication in the Microsoft-managed state.

System-preferred authentication in Microsoft Entra ID now applies to both first-factor and second-factor authentication when the setting is in the Microsoft managed state.

The system evaluates which credentials are registered for the user and selects the highest-ranked method for each authentication step, prompting the user to sign in with the most secure available method.

[Rollout schedule]

  • General Availability (Worldwide): Beginning late June 2026 and expected to complete by late July 2026

[Impact on your organization]

Who is affected

  • Organizations whose system-preferred authentication setting is in the Microsoft managed state.
  • If your setting is in the Enabled or Disabled state, first-factor sign-in behavior remains unchanged and there is no impact from this update.

Platforms and services

  • Microsoft Entra ID
  • System-preferred authentication
  • User sign-in experiences

What will happen

  • For tenants in the Microsoft managed state, the system applies credential ranking to both first-factor and second-factor authentication.
  • When a user signs in, the authentication process checks which authentication methods are registered and prompts the user with the most secure method according to the system-defined order.
  • The method order is dynamic and can update when users register more secure authentication methods, such as a passkey, or as Microsoft updates credential rankings based on evolving security guidance. For example, if a user has both a password and a passkey registered, Microsoft Entra may prompt the user to use the passkey at their next first-factor sign-in instead of the password.
  • To sign in using a different option, users can always cancel and choose another available sign-in method.

Behavior by setting state:

  • Microsoft managed: The system applies credential ranking to both first-factor and second-factor authentication.
  • Enabled: Credential ranking applies only to second-factor authentication. First-factor sign-in behavior remains unchanged.
  • Disabled: System-preferred authentication is not applied.

Note: This prompt does not mean the user is being asked to complete multifactor authentication (MFA) when MFA is not required. With this update, Microsoft Entra can prompt users to use their most secure available credential at first-factor sign-in instead of defaulting to a password. Some methods, such as passkeys, certificate-based authentication, or Microsoft Authenticator, can satisfy first-factor sign-in requirements and may also satisfy MFA requirements when MFA is required. The goal is to use the strongest available credential consistently, not to add an extra MFA prompt.

[What you need to do to prepare:] 

Review whether you want system-preferred authentication to apply to first-factor authentication in your tenant: 

  • If you want the credential ranking applied to both first-factor and second-factor authentication, leave the setting in the Microsoft managed state. No action is required.
  • If you do not want system-preferred authentication to apply to first-factor authentication, change the setting from Microsoft managed to Enabled. The Enabled state applies system-preferred logic only to second-factor authentication and leaves first-factor sign-in behavior unchanged.
  • Consider notifying users that they may be prompted with a different, more secure sign-in method at first-factor sign-in and remind them that they can always cancel and choose another available sign-in method.
  • Update internal sign-in documentation and support guidance accordingly.

Learn more

[Compliance considerations]

No compliance considerations identified, review as appropriate for your organization.

Source: Microsoft

Latest Posts

Pass It On
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply