Microsoft has announced one of the most significant changes to enterprise identity security in recent years, confirming that passkeys will become the default authentication experience for Microsoft Entra ID beginning September 1, 2026.
Microsoft Pushes Enterprises Toward Passwordless AuthenticationBeginning September 1, Microsoft will gradually roll out passkeys as the default authentication option across eligible Microsoft Entra ID tenants.
Native SMS and Voice Authentication to End in 2027Perhaps the most consequential aspect of Microsoft's announcement is the retirement of its Microsoft-managed SMS and voice authentication infrastructure.
From February 1, 2027, Microsoft will no longer provide SMS text messages or voice calls as native authentication methods within Microsoft Entra ID.
Passkeys Continue Microsoft's Identity Security StrategyThe latest announcement builds on several identity security initiatives Microsoft has introduced throughout 2026.
Microsoft has announced one of the most significant changes to enterprise identity security in recent years, confirming that passkeys will become the default authentication experience for Microsoft Entra ID beginning September 1, 2026. The move marks a major step in the company's long-term effort to eliminate password- and telephony-based authentication in favor of phishing-resistant credentials, while accelerating the adoption of passwordless security across enterprise environments.
Alongside the rollout, Microsoft also confirmed that its native SMS and voice-based multifactor authentication (MFA) services will be retired on February 1, 2027. Organizations that continue relying on Microsoft's built-in telecom infrastructure for authentication must either migrate users to phishing-resistant authentication methods or integrate a supported third-party telecom provider through the Microsoft Security Store before the retirement deadline.
The announcement affects every Microsoft Entra ID tenant currently using SMS or voice authentication and represents another milestone in Microsoft's broader identity modernization strategy, which has increasingly focused on reducing the effectiveness of credential theft, phishing attacks, and account takeover campaigns.
Microsoft Pushes Enterprises Toward Passwordless Authentication
Beginning September 1, Microsoft will gradually roll out passkeys as the default authentication option across eligible Microsoft Entra ID tenants.
Users who currently authenticate using SMS verification codes or voice calls will automatically have passkeys enabled within their tenant. During their next multifactor authentication challenge, they will be prompted to register a passkey, allowing future logins to use a phishing-resistant authentication method instead of one-time codes delivered over telephone networks. The rollout will occur gradually across Microsoft's cloud infrastructure rather than simultaneously across all organizations.
Importantly, Microsoft is not forcing existing passwordless users to change authentication methods. Organizations already using Windows Hello for Business, FIDO2 security keys, smart cards, certificate-based authentication, or previously registered passkeys can continue using those technologies without interruption. The change primarily targets organizations that still depend on telephony-based MFA.
Native SMS and Voice Authentication to End in 2027
Perhaps the most consequential aspect of Microsoft's announcement is the retirement of its Microsoft-managed SMS and voice authentication infrastructure.
From February 1, 2027, Microsoft will no longer provide SMS text messages or voice calls as native authentication methods within Microsoft Entra ID. Organizations that continue using these methods without taking action risk authentication failures and user sign-in disruptions after the deadline.
Businesses that still require phone-based authentication because of regulatory requirements, legacy applications, or operational needs will instead need to purchase and configure a supported telecom provider through the Microsoft Security Store.
Microsoft has outlined the transition timeline as follows:
September 1, 2026 – Passkey rollout begins and registration campaigns are automatically enabled for eligible tenants.
September 18, 2026 – Organizations can begin reviewing supported telecom providers.
October 30, 2026 – Customer-managed telecom providers become available for deployment.
February 1, 2027 – Microsoft-provided SMS and voice authentication are officially retired.
Microsoft will also offer a temporary opt-out period during the migration to give organizations additional time to prepare, although passkey enablement will ultimately become standard for users within the affected scope.
Why Microsoft Is Accelerating the Shift
The decision reflects the rapidly changing identity threat landscape, where attackers increasingly bypass traditional security controls through phishing, credential theft, session hijacking, and social engineering.
While SMS-based MFA has long been considered more secure than passwords alone, security professionals have warned for years that it remains vulnerable to SIM-swapping attacks, interception, real-time phishing proxies, adversary-in-the-middle attacks, and social engineering.
Microsoft says those risks are growing as cybercriminals increasingly leverage artificial intelligence to automate phishing campaigns at unprecedented scale.
According to Microsoft Threat Intelligence, AI-assisted phishing campaigns have achieved click-through rates approaching 54%, compared to approximately 12% for traditional phishing campaigns. These advances significantly reduce the time attackers need to compromise user credentials, making phishing-resistant authentication increasingly essential for enterprise security.
The company argues that passkeys eliminate many of these attack vectors by replacing shared secrets with public-key cryptography. Instead of transmitting passwords or one-time codes that attackers can steal, a passkey authenticates users through a cryptographic challenge tied to a trusted device and unlocked using biometrics or a device PIN.
Because there is no reusable credential transmitted during authentication, phishing websites cannot capture or replay passkeys in the same way they can passwords or SMS verification codes.
Passkeys Continue Microsoft's Identity Security Strategy
The latest announcement builds on several identity security initiatives Microsoft has introduced throughout 2026.
Earlier this year, Microsoft began enforcing Conditional Access policies during credential registration, ensuring security policies apply consistently whenever users enroll Windows Hello for Business or macOS Platform SSO credentials.
The company also introduced new registration campaigns requiring users to explicitly register authentication methods for Self-Service Password Reset (SSPR), replacing older practices that relied on directory-stored phone numbers and email addresses. In parallel, Microsoft expanded tenant support for larger passkey policies and additional passkey profiles to simplify enterprise deployments.
Together, these changes represent a coordinated effort to eliminate legacy authentication workflows that attackers continue to exploit while standardizing stronger authentication across Microsoft's cloud ecosystem.
Growing Pressure from Identity-Focused Threat Actors
Microsoft's announcement comes amid a sustained increase in attacks targeting enterprise identity platforms.
Identity providers such as Microsoft Entra ID, Okta, Ping Identity, and Google Workspace have become attractive targets because compromising a single identity often provides attackers with access to email, cloud storage, collaboration platforms, virtual machines, SaaS applications, and privileged administrative resources.
Recent campaigns by financially motivated cybercriminals have demonstrated how stolen Microsoft 365 credentials can be leveraged to conduct large-scale SaaS data theft, business email compromise, ransomware deployment, and cloud persistence operations.
Microsoft has specifically highlighted recent campaigns in which attackers targeted Entra-based single sign-on environments using stolen credentials, reinforcing the need to reduce reliance on authentication methods that remain vulnerable to phishing.
Security researchers across the industry have similarly observed threat actors increasingly bypassing passwords through sophisticated phishing kits capable of capturing authentication cookies, proxying MFA prompts in real time, and exploiting user trust rather than software vulnerabilities.
What Organizations Should Do Now
Although Microsoft's enforcement deadline remains several months away, enterprise administrators are encouraged to begin migration planning immediately.
Organizations should first identify users who continue to rely on SMS or voice authentication. Microsoft provides an Entra SMS/Voice Policy Scanner PowerShell script that enables administrators with appropriate privileges to locate affected accounts and assess migration requirements.
Security teams should then develop a phased migration strategy focused on deploying phishing-resistant authentication methods such as:
Passkeys
Windows Hello for Business
FIDO2 hardware security keys
Certificate-based authentication
Smart cards where appropriate
Organizations that must retain SMS or voice authentication for operational reasons should evaluate supported telecom providers well before the February 2027 deadline to avoid authentication disruptions.
Equally important will be preparing end users for the transition through awareness campaigns and enrollment guidance, ensuring they understand how passkeys work and why Microsoft is making the change.
Industry Shift Toward Phishing-Resistant Authentication
Microsoft's latest announcement reflects a broader industry movement toward passwordless authentication.
Over the past several years, major technology companies including Microsoft, Google, Apple, and members of the FIDO Alliance have invested heavily in passkey adoption, promoting public-key cryptography as a long-term replacement for passwords and SMS-based verification.
As AI-powered phishing continues to improve and identity attacks become increasingly automated, security experts widely expect phishing-resistant authentication to become the enterprise standard rather than an optional enhancement.
For organizations running Microsoft Entra ID, the countdown has now officially begun. Administrators have until early 2027 to modernize authentication strategies, migrate users away from vulnerable telephony-based MFA, and prepare for an identity ecosystem where passkeys become the primary method of protecting enterprise accounts against credential theft.