Microsoft Entra ID to Default to Passkeys Ahead of SMS and Voice Authentication Retirement

Organizations are being urged to prepare users for phishing-resistant authentication and upcoming provider changes.

Datacenter networking servers

Key Takeaways:

  • Passkeys will become the default authentication experience in Entra ID starting in September.
  • Microsoft will retire native SMS and voice authentication services in 2027.
  • Organizations should begin migrating users to passkeys and evaluating third-party telecom providers.

Microsoft is making a major change to Microsoft Entra ID authentication by introducing passkeys as the default sign-in method for customers starting in September. The move marks another step toward passwordless authentication to help organizations strengthen defenses against modern credential theft and phishing attacks.

Passkeys have become increasingly important because cybercriminals are using more sophisticated techniques to steal credentials, including AI-assisted phishing campaigns, social engineering, and multifactor authentication bypass attacks. Traditional methods such as passwords, SMS codes, and phone-based verification depend on information that can potentially be intercepted, tricked out of users, or reused by attackers. Passkeys eliminate many of these risks and help organizations better protect accounts, sensitive data, and digital resources.

Microsoft has confirmed that passkeys will begin rolling out as the default authentication experience in Entra ID. Customers currently enabled for SMS or voice authentication will be automatically enrolled for passkeys and prompted to register one during their next multifactor authentication (MFA) sign-in.

Native SMS and voice authentication to retire next year

Microsoft will share details about supported telecom providers and pricing on September 18. Starting on October 30, administrators will be able to configure approved third-party telecom providers through the Microsoft Security Store. Microsoft will retire its native SMS and voice authentication service on February 1, 2027. After that date, organizations that still require SMS or voice authentication will need to obtain these services from approved third-party telecom providers through the Microsoft Security Store.

Microsoft will discontinue its native SMS and voice authentication services for Microsoft Entra ID on February 1, 2027. It will require organizations that still need these methods to use approved third-party telecom providers instead. After that date, users who continue to rely on SMS or voice-based authentication will be required to register a passkey before signing in, and this change will be enforced across all tenants without an opt-out option.

How organizations should prepare for the transition to passkeys?

Organizations are advised to begin preparing for the transition to passkeys as early as possible by identifying users who still depend on SMS or voice-based authentication and developing a plan to move them to phishing-resistant alternatives. Microsoft recommends enabling passkeys across the organization, selecting the passkey types that best fit employee devices and work scenarios, and using Entra ID registration campaigns to encourage user adoption during routine sign-in processes.

Additionally, organizations should proactively communicate upcoming changes to employees so they understand when passkey registration prompts will appear and how to complete the setup process. For businesses that must continue using SMS or voice authentication due to regulatory or technical requirements, Microsoft advises identifying affected user groups, evaluating supported telecom providers, and testing the configuration with a pilot group before broader deployment.