MC1426371: Microsoft Entra Makes Passkeys Default and Retires Microsoft-Provided SMS and Voice Authentication

MWPRO IMPACT SCORE
OPERATIONAL IMPACT
74
0 25 50 75 100
HIGH IMPACT • REVIEW RECOMMENDED
Recommended Action:
Review the update and plan any required actions before rollout.
What is MWPro Impact Score? Watch our 60‑second explainer

Primary Audience

Tenant AdminsMicrosoft 365 AdminsSecurity TeamsCompliance TeamsAzure AdminsIT ManagersService Owners
Why this score?
AI Confidence
HIGH
Enough detail is available to trust this assessment.
Assessment Reasoning
This update introduces a default shift to passkeys and removes Microsoft-provided SMS and voice MFA by February 2027. Admins must prepare for passkey enablement and configure telecom providers if telephony methods remain necessary, requiring planning, policy updates and possibly procurement steps. Users will see prompts to register passkeys starting September 2026, which could impact sign-in experience. Urgency is high due to the defined rollout schedule and enforced retirement deadline, making early planning critical to avoid authentication disruptions.
85
🛡️ Admin Impact
55
👥 User Impact
70
Urgency
80
🔧 Implementation Effort
ℹ️ WHAT YOU NEED TO KNOW
📌

AT A GLANCE

Passkeys become the default authentication in Entra from September 2026. Microsoft-provided SMS and voice will retire in February 2027. Action needed if you still use these methods.
👥

END USERS

Users may see prompts to register a passkey during MFA sign-in starting September 2026.
🛡️

IT ADMINS

Plan passkey adoption and review telecom options if you still need SMS or voice authentication.
📅

ROLLOUT TIMELINE

Upcoming:
September 2026

📢 Official Microsoft Message Center Announcement


Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication
Message ID: MC1426371 (Updated)

[What and why]

Passkeys will become the default authentication experience in Microsoft Entra on September 1, 2026. Telecom-based methods (SMS and voice) will transition to customer-configured providers through the Microsoft Security Store. 

The AI era demands stronger, phishing-resistant authentication. We are making passkeys the default authentication experience in Microsoft Entra to help customers securely adopt AI at scale.  

As part of this transition, SMS and voice will no longer be available as multifactor authentication methods starting February 1, 2027. SMS and voice do not offer sufficient levels of security in comparison to passkeys. Traditional authentication methods including passwords, SMS one-time passcodes, and voice-based verification remain vulnerable to phishing, interception, and social engineering attacks.

We strongly recommend moving away from telephony-based authentication methods to improve security and prevent identity attacks. Passkeys are included in all Microsoft Entra plans, so making this critical security change comes at no additional cost for you.  

While we recommend adopting passkeys for phishing-resistant authentication as quickly as possible, we also recognize that some customers may have business needs that make an immediate transition impractical. In such cases, customers may continue to use SMS and voice by selecting a telecom provider in the Microsoft Security Store. 

[Rollout schedule]

  • September 1, 2026: 
    • Rollout begins. Changes may take time to reach all tenants and will be deployed gradually. 
    • Passkeys will be automatically enabled for users currently enabled for SMS or voice. 
    • Registration Campaign will be set to Microsoft-Managed targeting passkeys for all users in eligible tenants. 
    • Users will be prompted to register a passkey during MFA sign-in; users will be able to skip. 
  • September 18th, 2026:
    • review the telecom providers and related information available through the Microsoft Security Store to evaluate which optiohn best meets your regional and compliance requirements.
  • October 30, 2026:  
    • Customers who need to continue to use SMS or voice will be able to choose from a list of telecom providers available through the Microsoft Security Store. 
  • February 1, 2027: 
    • Microsoft-provided SMS and voice authentication will be retired. 
    • Only customer-configured telecom providers will support SMS and voice going forward. 
    • Passkeys become the default, recommended authentication method. 
If no action is taken, tenants relying only on Microsoft-provided SMS or voice may experience sign-in disruptions after February 1, 2027. 

[Impact on your organization]

Who is affected

  • All Microsoft Entra ID tenants enabled for SMS or voice authentication
  • Users enabled for SMS or voice 

Platforms and services

  • Microsoft Entra ID
  • Multifactor authentication
  • Microsoft Security Store

What will happen

  • Passkeys will be automatically enabled for eligible users and Registration Campaign for passkeys will be set to Microsoft Managed state starting September 1, 2026. 
  • Users will be prompted during MFA sign-in to register a passkey; users can skip the prompt. 
  • Microsoft-provided SMS and voice will be retired on February 1, 2027.
  • Organizations that still require telephony methods must configure a telecom provider in the Microsoft Security Store.
  • Tenants that do not configure a provider and continue relying on Microsoft telephony will face SMS and voice authentication disruptions after retirement.

[Action required and recommendations]

Admins should take the following steps:

  • Prepare for passkeys
    • Plan to transition users to passkeys and communicate upcoming registration prompts. 
  • Decide if SMS or voice is still required
    • If SMS or voice is still needed, you must configure a customer-managed telecom provider. We recommend completing setup at least 4 weeks before the February 1 enforcement to allow sufficient time for testing and a cautious transition. 
  • Set up a telecom provider before February 1, 2027
    • SMS and voice will only work after this date if a customer-configured telecom provider is enabled.  
  • Use temporary opt-out if needed
    • A temporary opt-out will be available for the September 1, 2026 through February 1, 2027 changes. This allows you to delay passkey and Registration Campaign enablement while you complete transition activities, such as configuring customer-managed telecom providers or migrating to other authentication methods.
    • After February 1, 2027, passkey enablement will be enforced for all users in scope. 

Additional documentation and more information will be available on Microsoft Learn and the Tech Community.

For more information please visit: https://learn.microsoft.com/entra/identity/authentication/concept-sms-voice-retirement more:

[Compliance considerations]

Review as appropriate for your organization.

    Source: Microsoft Message Center • Analysed by MWPro

    <<< [MC1426371] Archive
    Tooltip: View earlier revisions of this post

    Latest Posts

    Pass It On
    Leave a Comment

    Comments

    No comments yet. Why don’t you start the discussion?

    Leave a Reply