Microsoft has announced that passkeys will become the default authentication method for the Entra ID enterprise identity service starting September 2026.
Passkeys will be enabled automatically for Entra ID users now using phone-based SMS and voice authentication, which will be retired in February 2027 across all tenants.
However, users who are already signing into their accounts with passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or any other phishing-resistant method will be able to continue using those methods.
“As the rollout reaches each organization, users enabled for SMS or voice authentication will automatically be enabled for passkeys, and the next time they perform multifactor authentication, they’ll be prompted to register a passkey,” Microsoft said.
“Following this transition, on February 1, 2027, Microsoft will retire Microsoft-provided telecom delivery for SMS and voice authentication and will no longer offer SMS and voice as a native Microsoft Entra capability.”
Before this date, organizations are advised to ensure that all users are using a phishing-resistant method to avoid sign-in disruptions, as they will no longer be able to use SMS or voice to complete multifactor authentication and sign in to their accounts.
Admins with the global reader, Authentication policy administrator, or Security reader roles enabled can find SMS or voice auth users by running the Entra SMS/Voice Policy Scanner PowerShell script.
Organizations that are still required to use phone-based authentication will need to configure third-party telecom providers through the Microsoft Security Store.
Microsoft provides step-by-step guidance on deploying and managing Entra ID phishing-resistant passwordless authentication on this dedicated documentation page.
Users are advised to move away from telephony-based authentication methods to block identity attacks and improve account security, as threat actors (including the ShinyHunters extortion gang) have heavily targeted Microsoft Entra single sign-on (SSO) accounts in a recent wave of SaaS data-theft attacks using stolen credentials.
“Microsoft Threat Intelligence has observed AI-enabled phishing campaigns reaching click-through rates as high as 54%, compared with roughly 12% for more traditional campaigns, making stolen passwords and phishable second factors an urgent risk,” Microsoft added.
“By making passkeys the default authentication experience, organizations reduce reliance on phishable authentication methods and strengthen protection against credential theft and phishing.”
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Microsoft starts testing cleaner Windows Search without ads
Breach at the Beach: Play the Ultimate Entra ID CTF
Microsoft to retire the OWA Light client in Exchange Server
Microsoft patches RoguePlanet Defender zero-day vulnerability
Microsoft to enable Windows settings backup by default for orgs
Claude Fable 5 stays free for paid users until July 19 as Anthropic buys more time
Australia warns of global campaign targeting vulnerable CMS platforms
‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets
#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.
AI is a data-breach time bomb: Read the new report?utm_source=bleepingcomputer&utm_medium=referral&utm_campaign=bleepingcomputer_referral&utm_content=article
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
Overdue a password health-check? Audit your Active Directory for free
Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



