← Back
(Updated) Microsoft Entra: System-preferred authentication now applies to first-factor authentication
MC1411574 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2026-07-09 18:20:59
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-07-31 00:00:00
Services
Microsoft Entra
Tags
Updated message, Feature update, User impact, Admin impact
Master tags
User, Admin, Security
Roadmap IDs

One-line summary

System-preferred authentication in Microsoft Entra ID will now apply to both first- and second-factor authentication for tenants in the Microsoft managed state, using the most secure available method.

Similar updates

More like this

Details

Summary
Microsoft Entra now applies system-preferred authentication to first-factor sign-in for tenants in the Microsoft managed state, selecting the most secure registered method. Rollout starts late June 2026. Tenants can keep or change this setting and should update user guidance accordingly.

Body (from Message Center)

Updated July 9, 2026: We have updated this post as a reminder. Thank you for your patience. 

[What and Why]

As announced in the What's New (June Edition), we have been rolling out first-factor system-preferred authentication in the Microsoft-managed state.

System-preferred authentication in Microsoft Entra ID now applies to both first-factor and second-factor authentication when the setting is in the Microsoft managed state.

The system evaluates which credentials are registered for the user and selects the highest-ranked method for each authentication step, prompting the user to sign in with the most secure available method.

[Rollout schedule]

  • General Availability (Worldwide): Beginning late June 2026 and expected to complete by late July 2026

[Impact on your organization]

Who is affected

  • Organizations whose system-preferred authentication setting is in the Microsoft managed state.
  • If your setting is in the Enabled or Disabled state, first-factor sign-in behavior remains unchanged and there is no impact from this update.

Platforms and services

  • Microsoft Entra ID
  • System-preferred authentication
  • User sign-in experiences

What will happen

  • For tenants in the Microsoft managed state, the system applies credential ranking to both first-factor and second-factor authentication.
  • When a user signs in, the authentication process checks which authentication methods are registered and prompts the user with the most secure method according to the system-defined order.
  • The method order is dynamic and can update when users register more secure authentication methods, such as a passkey, or as Microsoft updates credential rankings based on evolving security guidance. For example, if a user has both a password and a passkey registered, Microsoft Entra may prompt the user to use the passkey at their next first-factor sign-in instead of the password.
  • To sign in using a different option, users can always cancel and choose another available sign-in method.

Behavior by setting state:

  • Microsoft managed: The system applies credential ranking to both first-factor and second-factor authentication.
  • Enabled: Credential ranking applies only to second-factor authentication. First-factor sign-in behavior remains unchanged.
  • Disabled: System-preferred authentication is not applied.

Note: This prompt does not mean the user is being asked to complete multifactor authentication (MFA) when MFA is not required. With this update, Microsoft Entra can prompt users to use their most secure available credential at first-factor sign-in instead of defaulting to a password. Some methods, such as passkeys, certificate-based authentication, or Microsoft Authenticator, can satisfy first-factor sign-in requirements and may also satisfy MFA requirements when MFA is required. The goal is to use the strongest available credential consistently, not to add an extra MFA prompt.

[What you need to do to prepare:] 

Review whether you want system-preferred authentication to apply to first-factor authentication in your tenant: 

  • If you want the credential ranking applied to both first-factor and second-factor authentication, leave the setting in the Microsoft managed state. No action is required.
  • If you do not want system-preferred authentication to apply to first-factor authentication, change the setting from Microsoft managed to Enabled. The Enabled state applies system-preferred logic only to second-factor authentication and leaves first-factor sign-in behavior unchanged.
  • Consider notifying users that they may be prompted with a different, more secure sign-in method at first-factor sign-in and remind them that they can always cancel and choose another available sign-in method.
  • Update internal sign-in documentation and support guidance accordingly.

Learn more

[Compliance considerations]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-07-31T00:00:00Z",
    "ai_actions": [
      "Review your tenant\u0027s system-preferred authentication setting",
      "Change the setting from Microsoft managed to Enabled if you do NOT want first-factor credential ranking",
      "Consider notifying users about potential changes to sign-in prompts",
      "Update internal sign-in documentation and support guidance"
    ],
    "ai_master_tags": [
      "User",
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "System-preferred authentication in Microsoft Entra ID will now apply to both first- and second-factor authentication for tenants in the Microsoft managed state, using the most secure available method.",
    "ai_topics": [
      "Entra"
    ],
    "category": "stayInformed",
    "details_map": {
      "Summary": "Microsoft Entra now applies system-preferred authentication to first-factor sign-in for tenants in the Microsoft managed state, selecting the most secure registered method. Rollout starts late June 2026. Tenants can keep or change this setting and should update user guidance accordingly."
    },
    "id": "MC1411574",
    "importance": 3,
    "is_major_change": false,
    "last_modified": "2026-07-09T18:20:59Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Feature update",
      "User impact",
      "Admin impact"
    ],
    "title": "(Updated) Microsoft Entra: System-preferred authentication now applies to first-factor authentication"
  }
}