Microsoft Entra ID Defaults to Passkeys, Replacing Passwords
Key Takeaways Microsoft Entra ID will transition to passkeys as the default authentication method, phasing out phishable SMS and voice-based multifactor authentication. This change is a direct...
Key Takeaways
- Microsoft Entra ID will transition to passkeys as the default authentication method, phasing out phishable SMS and voice-based multifactor authentication.
- This change is a direct response to the escalating threat of AI-powered phishing campaigns, which exhibit significantly higher success rates than traditional methods.
- The mandatory shift begins September 1, 2026, with a complete cessation of Microsoft-provided SMS and voice authentication by February 1, 2027.
- Organizations must prepare by auditing current authentication methods, enabling passkey support, and proactively communicating changes to users.
Microsoft Entra ID Embraces Passkeys, Sunsetting Legacy MFA
Microsoft has announced a significant shift in its authentication strategy for Microsoft Entra ID, designating passkeys as the default sign-in method. This transition, set to commence on September 1, 2026, will effectively replace phishable SMS and voice-based multifactor authentication (MFA) methods.
Table Of Content
The move is a strategic response to the alarming proliferation of AI-enabled phishing campaigns. Microsoft Threat Intelligence has observed these advanced attacks achieving click-through rates as high as 54%, a stark contrast to the approximately 12% success rate of conventional phishing attempts. The inherent resistance of passkeys to such sophisticated attacks makes them a critical upgrade in the evolving cybersecurity landscape.
Starting September 1, 2026, users currently configured for SMS or voice authentication will be automatically enrolled in passkeys. These users will encounter a registration prompt during their next multifactor authentication event, guiding them through the setup process for their new passkey.
Phased Rollout and Key Milestones
Microsoft’s implementation plan for this change is structured around several critical dates:
- September 1, 2026: The automatic enablement of passkeys and nudges for all users relying on SMS/voice during MFA sign-in will begin.
- September 18, 2026: Microsoft will release comprehensive pricing details, commercial terms, and a list of supported telecom providers through the Microsoft Security Store.
- October 30, 2026: Administrators will gain the ability to select and configure third-party telecom providers for organizations that have specific, validated requirements to retain SMS or voice authentication.
- February 1, 2027: Microsoft will cease providing native SMS and voice authentication delivery services entirely.
- After February 1, 2027: Passkey registration prompts will become mandatory for all users across all tenants, with no option to opt out.
This initiative builds upon previous advancements in passwordless authentication within Entra ID. Notably, March 2026 saw the introduction of passkey profiles as the default sign-in configuration for enterprise tenants. This was followed in May 2026 by the global expansion of system-preferred authentication to encompass first-factor sign-in, laying the groundwork for the current transition.
The Security Advantage of Passkeys
Passkeys leverage public-key cryptography, a fundamentally more secure approach than shared secrets. This makes them inherently resistant to phishing attacks, unlike SMS and voice codes, which are susceptible to interception through methods like SIM swapping or social engineering. Microsoft emphasizes that AI-powered attackers can now automate discovery, privilege escalation, and lateral movement at an accelerated pace once a phishable credential is compromised, underscoring the urgency of eliminating weak second factors.
Internally, Microsoft claims it has already achieved phishing-resistant authentication coverage for 99.6% of its own users and devices by deprecating legacy methods.
Entra ID supports both synced passkeys, which are stored in platform credential managers such as iCloud Keychain and Google Password Manager, and device-bound passkeys, available via Microsoft Authenticator, Entra passkey on Windows, and FIDO2 security keys. This dual approach offers organizations flexibility in their deployment strategies.
Beyond security enhancements, regulatory pressures are also driving this shift. Industry analysts point to NIS2 compliance requirements within the European Union, which are pushing organizations towards mandatory passwordless authentication, especially after voluntary adoption rates for passkeys, despite their availability for over a year, remained stagnant.
Organizations with legitimate regulatory or technical justifications for retaining SMS or voice authentication can establish direct contracts with supported telecom carriers through the Microsoft Security Store, beginning October 30, 2026. However, these organizations will be responsible for the associated telecom costs.
It is important to note that this timeline applies specifically to Microsoft Entra ID in the public cloud. Government cloud environments (GCC, GCC High, DoD) will follow separate timelines, which are expected to be announced at a later date.
What You Should Do
Microsoft strongly advises organizations to take immediate action rather than waiting for the automatic rollout:
- Conduct a thorough audit of existing authentication policies to identify all users and groups that currently rely on SMS or voice MFA.
- Enable passkey support within Entra ID and strategically choose between synced or device-bound passkey types based on your organization’s user devices and workflow requirements.
- Leverage Entra ID’s registration campaign feature to facilitate and scale passkey adoption during MFA sign-in events.
- Proactively communicate with affected users regarding upcoming passkey registration prompts and changes to their sign-in experience.
- For organizations with a regulatory necessity to retain SMS/voice, pilot any chosen third-party telecom provider configuration before a broad rollout.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.