Review the update and plan any required actions before rollout.
Primary Audience
Why this score?
AT A GLANCE
END USERS
IT ADMINS
ROLLOUT TIMELINE
September 2026
📢 Official Microsoft Message Center Announcement
Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication
Message ID: MC1426371
[What and why]
Passkeys will become the default authentication experience in Microsoft Entra on September 1, 2026. Telecom-based methods (SMS and voice) will transition to customer-configured providers through the Microsoft Security Store.
The AI era demands stronger, phishing-resistant authentication. We are making passkeys the default authentication experience in Microsoft Entra to help customers securely adopt AI at scale.
As part of this transition, SMS and voice will no longer be available as multifactor authentication methods starting January 28, 2027. SMS and voice do not offer sufficient levels of security in comparison to passkeys. Traditional authentication methods including passwords, SMS one-time passcodes, and voice-based verification remain vulnerable to phishing, interception, and social engineering attacks.
We strongly recommend moving away from telephony-based authentication methods to improve security and prevent identity attacks. Passkeys are included in all Microsoft Entra plans, so making this critical security change comes at no additional cost for you.
While we recommend adopting passkeys for phishing-resistant authentication as quickly as possible, we also recognize that some customers may have business needs that make an immediate transition impractical. In such cases, customers may continue to use SMS and voice by selecting a telecom provider in the Microsoft Security Store.
[Rollout schedule]
- August 1, 2026:
- Pricing, commercial terms, and additional details about supported telecom providers will be shared.
- September 1, 2026:
- Rollout begins. Changes may take time to reach all tenants and will be deployed gradually.
- Passkeys will be automatically enabled for users currently enabled for SMS or voice.
- Registration Campaign will be set to Microsoft-Managed targeting passkeys for all users in eligible tenants.
- Users will be prompted to register a passkey during MFA sign-in; users will be able to skip.
- October 30, 2026:
- Customers who need to continue to use SMS or voice will be able to choose from a list of telecom providers available through the Microsoft Security Store.
- January 28, 2027:
- Microsoft-provided SMS and voice authentication will be retired.
- Only customer-configured telecom providers will support SMS and voice going forward.
- Passkeys become the default, recommended authentication method.
[Impact on your organization]
Who is affected
- All Microsoft Entra ID tenants enabled for SMS or voice authentication
- Users enabled for SMS or voice
Platforms and services
- Microsoft Entra ID
- Multifactor authentication
- Microsoft Security Store
What will happen
- Passkeys will be automatically enabled for eligible users and Registration Campaign for passkeys will be set to Microsoft Managed state starting September 1, 2026.
- Users will be prompted during MFA sign-in to register a passkey; users can skip the prompt.
- Microsoft-provided SMS and voice will be retired on January 28, 2027.
- Organizations that still require telephony methods must configure a telecom provider in the Microsoft Security Store.
- Tenants that do not configure a provider and continue relying on Microsoft telephony will face SMS and voice authentication disruptions after retirement.
[Action required and recommendations]
Admins should take the following steps:
- Prepare for passkeys
- Plan to transition users to passkeys and communicate upcoming registration prompts.
- Decide if SMS or voice is still required
- If SMS or voice is still needed, you must configure a customer-managed telecom provider. We recommend completing setup at least 4 weeks before the January 28 enforcement to allow sufficient time for testing and a cautious transition.
- Set up a telecom provider before January 28, 2027
- SMS and voice will only work after this date if a customer-configured telecom provider is enabled.
- Use temporary opt-out if needed
- A temporary opt-out will be available for the September 1, 2026 through January 28, 2027 changes. This allows you to delay passkey and Registration Campaign enablement while you complete transition activities, such as configuring customer-managed telecom providers or migrating to other authentication methods.
- After January 28, 2027, passkey enablement will be enforced for all users in scope.
Additional documentation and more information will be available on Microsoft Learn and the Tech Community.
For more information please visit: https://learn.microsoft.com/entra/identity/authentication/concept-sms-voice-retirement more:
- Deploy passkey adoption campaigns with the Conditional Access Optimization Agent | Microsoft Entra | Microsoft Learn
- Get started with phishing-resistant passwordless authentication deployment in Microsoft Entra ID | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- It’s Time to Hang Up on Phone Transports for Authentication | Microsoft Entra Blog
- Passkeys by default and retirement of Microsoft-provided SMS and voice authentication | Microsoft Entra | Microsoft Learn
[Compliance considerations]
Review as appropriate for your organization.
Source: Microsoft Message Center • Analysed by MWPro
Latest Posts
- MC1403390: Power Platform Admin Center Replaces Classic DLP with Advanced Connector Policies and Restores Design-Time Enforcement

- Amazon DocumentDB (with MongoDB compatibility) now available as a skill in the Agent Toolkit for AWS

- MC1426371: Microsoft Entra Makes Passkeys Default and Retires Microsoft-Provided SMS and Voice Authentication

- Voxtral-Mini-4B-Realtime for real-time speech transcription is now available in Amazon SageMaker JumpStart





