← Back
Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication
MC1426371 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2026-07-13 17:11:32
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2027-01-04 00:00:00
Services
Microsoft Entra
Tags
User impact, Admin impact, Retirement
Master tags
User, Admin, Security
Roadmap IDs

One-line summary

Microsoft Entra will make passkeys the default authentication method on Sep 1, 2026; Microsoft-provided SMS/voice MFA will retire Feb 1, 2027—configure your own provider if needed.

Similar updates

More like this

Details

Summary
Microsoft Entra will make passkeys the default authentication method starting September 1, 2026, retiring Microsoft-provided SMS and voice authentication by February 1, 2027. Customers must configure telecom providers for SMS/voice via the Microsoft Security Store or face disruptions. Passkeys offer stronger, phishing-resistant security at no extra cost.

Body (from Message Center)

[What and why]

Passkeys will become the default authentication experience in Microsoft Entra on September 1, 2026. Telecom-based methods (SMS and voice) will transition to customer-configured providers through the Microsoft Security Store. 

The AI era demands stronger, phishing-resistant authentication. We are making passkeys the default authentication experience in Microsoft Entra to help customers securely adopt AI at scale.  

As part of this transition, SMS and voice will no longer be available as multifactor authentication methods starting February 1, 2027. SMS and voice do not offer sufficient levels of security in comparison to passkeys. Traditional authentication methods including passwords, SMS one-time passcodes, and voice-based verification remain vulnerable to phishing, interception, and social engineering attacks.

We strongly recommend moving away from telephony-based authentication methods to improve security and prevent identity attacks. Passkeys are included in all Microsoft Entra plans, so making this critical security change comes at no additional cost for you.  

While we recommend adopting passkeys for phishing-resistant authentication as quickly as possible, we also recognize that some customers may have business needs that make an immediate transition impractical. In such cases, customers may continue to use SMS and voice by selecting a telecom provider in the Microsoft Security Store. 

[Rollout schedule]

  • September 1, 2026: 
    • Rollout begins. Changes may take time to reach all tenants and will be deployed gradually. 
    • Passkeys will be automatically enabled for users currently enabled for SMS or voice. 
    • Registration Campaign will be set to Microsoft-Managed targeting passkeys for all users in eligible tenants. 
    • Users will be prompted to register a passkey during MFA sign-in; users will be able to skip. 
  • September 18th, 2026:
    • review the telecom providers and related information available through the Microsoft Security Store to evaluate which optiohn best meets your regional and compliance requirements.
  • October 30, 2026:  
    • Customers who need to continue to use SMS or voice will be able to choose from a list of telecom providers available through the Microsoft Security Store. 
  • February 1, 2027: 
    • Microsoft-provided SMS and voice authentication will be retired. 
    • Only customer-configured telecom providers will support SMS and voice going forward. 
    • Passkeys become the default, recommended authentication method. 
If no action is taken, tenants relying only on Microsoft-provided SMS or voice may experience sign-in disruptions after February 1, 2027. 

[Impact on your organization]

Who is affected

  • All Microsoft Entra ID tenants enabled for SMS or voice authentication
  • Users enabled for SMS or voice 

Platforms and services

  • Microsoft Entra ID
  • Multifactor authentication
  • Microsoft Security Store

What will happen

  • Passkeys will be automatically enabled for eligible users and Registration Campaign for passkeys will be set to Microsoft Managed state starting September 1, 2026. 
  • Users will be prompted during MFA sign-in to register a passkey; users can skip the prompt. 
  • Microsoft-provided SMS and voice will be retired on February 1, 2027.
  • Organizations that still require telephony methods must configure a telecom provider in the Microsoft Security Store.
  • Tenants that do not configure a provider and continue relying on Microsoft telephony will face SMS and voice authentication disruptions after retirement.

[Action required and recommendations]

Admins should take the following steps:

  • Prepare for passkeys
    • Plan to transition users to passkeys and communicate upcoming registration prompts. 
  • Decide if SMS or voice is still required
    • If SMS or voice is still needed, you must configure a customer-managed telecom provider. We recommend completing setup at least 4 weeks before the February 1 enforcement to allow sufficient time for testing and a cautious transition. 
  • Set up a telecom provider before February 1, 2027
    • SMS and voice will only work after this date if a customer-configured telecom provider is enabled.  
  • Use temporary opt-out if needed
    • A temporary opt-out will be available for the September 1, 2026 through February 1, 2027 changes. This allows you to delay passkey and Registration Campaign enablement while you complete transition activities, such as configuring customer-managed telecom providers or migrating to other authentication methods.
    • After February 1, 2027, passkey enablement will be enforced for all users in scope. 

Additional documentation and more information will be available on Microsoft Learn and the Tech Community.

For more information please visit: https://learn.microsoft.com/entra/identity/authentication/concept-sms-voice-retirement more:

[Compliance considerations]

Review as appropriate for your organization.

    Raw JSON (for debugging)

    Expand/collapse the full payload below.
    Show/hide raw
    {
      "snapshot_item": {
        "action_required_by": null,
        "ai_action_required_by": "2027-01-04T00:00:00Z",
        "ai_actions": [
          "Plan and communicate passkey registration for users",
          "Decide if SMS/voice authentication is still required",
          "If needed, configure a customer-managed telecom provider via Microsoft Security Store",
          "Complete provider setup by January 4, 2027 for testing",
          "Consider temporary opt-out if transition can\u0027t be completed on time"
        ],
        "ai_master_tags": [
          "User",
          "Admin",
          "Security"
        ],
        "ai_model": "gpt-4.1",
        "ai_summary": "Microsoft Entra will make passkeys the default authentication method on Sep 1, 2026; Microsoft-provided SMS/voice MFA will retire Feb 1, 2027\u2014configure your own provider if needed.",
        "ai_topics": [
          "Entra"
        ],
        "category": "planForChange",
        "details_map": {
          "Summary": "Microsoft Entra will make passkeys the default authentication method starting September 1, 2026, retiring Microsoft-provided SMS and voice authentication by February 1, 2027. Customers must configure telecom providers for SMS/voice via the Microsoft Security Store or face disruptions. Passkeys offer stronger, phishing-resistant security at no extra cost."
        },
        "id": "MC1426371",
        "importance": 5,
        "is_major_change": true,
        "last_modified": "2026-07-13T17:11:32Z",
        "ms_products": [
          "Entra"
        ],
        "platforms": null,
        "roadmap_ids": [],
        "services": [
          "Microsoft Entra"
        ],
        "severity": "normal",
        "tags": [
          "User impact",
          "Admin impact",
          "Retirement"
        ],
        "title": "Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication"
      }
    }