MC1426371: Microsoft Entra Sets Passkeys as Default and Retires Microsoft-Provided SMS and Voice Authentication

MWPRO IMPACT SCORE
OPERATIONAL IMPACT
73
0 25 50 75 100
HIGH IMPACT • REVIEW RECOMMENDED
Recommended Action:
Review the update and plan any required actions before rollout.
What is MWPro Impact Score? Watch our 60‑second explainer

Primary Audience

Tenant AdminsMicrosoft 365 AdminsSecurity TeamsCompliance TeamsIT ManagersService Owners
Why this score?
AI Confidence
HIGH
Enough detail is available to trust this assessment.
Assessment Reasoning
Microsoft Entra will make passkeys the default authentication method on September 1, 2026, with Microsoft-provided SMS and voice MFA retired on January 28, 2027. Admin teams must plan migration to passkeys, review Conditional Access policies, and decide on customer-managed telecom providers if telephony MFA remains needed. Users will see MFA registration prompts and workflow changes during sign-in, and organisations without proper setup risk authentication failures after retirement dates.
85
🛡️ Admin Impact
50
👥 User Impact
70
Urgency
75
🔧 Implementation Effort
ℹ️ WHAT YOU NEED TO KNOW
📌

AT A GLANCE

Passkeys become the default sign-in method in Entra from September 2026. Microsoft-provided SMS and voice will end in January 2027.
👥

END USERS

Users will be prompted to register a passkey during MFA sign-in but can temporarily skip.
🛡️

IT ADMINS

Plan the move to passkeys and set up telecom providers if SMS or voice must remain after January 2027.
📅

ROLLOUT TIMELINE

Upcoming:
September 2026

📢 Official Microsoft Message Center Announcement


Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication
Message ID: MC1426371

[What and why]

Passkeys will become the default authentication experience in Microsoft Entra on September 1, 2026. Telecom-based methods (SMS and voice) will transition to customer-configured providers through the Microsoft Security Store. 

The AI era demands stronger, phishing-resistant authentication. We are making passkeys the default authentication experience in Microsoft Entra to help customers securely adopt AI at scale.  

As part of this transition, SMS and voice will no longer be available as multifactor authentication methods starting January 28, 2027. SMS and voice do not offer sufficient levels of security in comparison to passkeys. Traditional authentication methods including passwords, SMS one-time passcodes, and voice-based verification remain vulnerable to phishing, interception, and social engineering attacks.

We strongly recommend moving away from telephony-based authentication methods to improve security and prevent identity attacks. Passkeys are included in all Microsoft Entra plans, so making this critical security change comes at no additional cost for you.  

While we recommend adopting passkeys for phishing-resistant authentication as quickly as possible, we also recognize that some customers may have business needs that make an immediate transition impractical. In such cases, customers may continue to use SMS and voice by selecting a telecom provider in the Microsoft Security Store. 

[Rollout schedule]

  • August 1, 2026: 
    • Pricing, commercial terms, and additional details about supported telecom providers will be shared. 
  • September 1, 2026: 
    • Rollout begins. Changes may take time to reach all tenants and will be deployed gradually. 
    • Passkeys will be automatically enabled for users currently enabled for SMS or voice. 
    • Registration Campaign will be set to Microsoft-Managed targeting passkeys for all users in eligible tenants. 
    • Users will be prompted to register a passkey during MFA sign-in; users will be able to skip. 
  • October 30, 2026:  
    • Customers who need to continue to use SMS or voice will be able to choose from a list of telecom providers available through the Microsoft Security Store. 
  • January 28, 2027: 
    • Microsoft-provided SMS and voice authentication will be retired. 
    • Only customer-configured telecom providers will support SMS and voice going forward. 
    • Passkeys become the default, recommended authentication method. 
If no action is taken, tenants relying only on Microsoft-provided SMS or voice may experience sign-in disruptions after January 28, 2027. 

[Impact on your organization]

Who is affected

  • All Microsoft Entra ID tenants enabled for SMS or voice authentication
  • Users enabled for SMS or voice 

Platforms and services

  • Microsoft Entra ID
  • Multifactor authentication
  • Microsoft Security Store

What will happen

  • Passkeys will be automatically enabled for eligible users and Registration Campaign for passkeys will be set to Microsoft Managed state starting September 1, 2026. 
  • Users will be prompted during MFA sign-in to register a passkey; users can skip the prompt. 
  • Microsoft-provided SMS and voice will be retired on January 28, 2027.
  • Organizations that still require telephony methods must configure a telecom provider in the Microsoft Security Store.
  • Tenants that do not configure a provider and continue relying on Microsoft telephony will face SMS and voice authentication disruptions after retirement.

[Action required and recommendations]

Admins should take the following steps:

  • Prepare for passkeys
    • Plan to transition users to passkeys and communicate upcoming registration prompts. 
  • Decide if SMS or voice is still required
    • If SMS or voice is still needed, you must configure a customer-managed telecom provider. We recommend completing setup at least 4 weeks before the January 28 enforcement to allow sufficient time for testing and a cautious transition. 
  • Set up a telecom provider before January 28, 2027
    • SMS and voice will only work after this date if a customer-configured telecom provider is enabled.  
  • Use temporary opt-out if needed
    • A temporary opt-out will be available for the September 1, 2026 through January 28, 2027 changes. This allows you to delay passkey and Registration Campaign enablement while you complete transition activities, such as configuring customer-managed telecom providers or migrating to other authentication methods.
    • After January 28, 2027, passkey enablement will be enforced for all users in scope. 

Additional documentation and more information will be available on Microsoft Learn and the Tech Community.

For more information please visit: https://learn.microsoft.com/entra/identity/authentication/concept-sms-voice-retirement more:

[Compliance considerations]

Review as appropriate for your organization.

    Source: Microsoft Message Center • Analysed by MWPro

    Latest Posts

    Pass It On
    Leave a Comment

    Comments

    No comments yet. Why don’t you start the discussion?

    Leave a Reply