Security

Microsoft Entra ID Passkeys Default Rollout Dates

3 min read

Summary

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Need help with Security?Talk to an Expert

Introduction

Microsoft is accelerating its move to phishing-resistant authentication in Entra ID. As AI-driven phishing and identity attacks become more effective, Microsoft is making passkeys the default sign-in experience to reduce dependence on weaker methods like SMS and voice.

For IT teams, this is more than a user experience update. It introduces a firm migration timeline, changes how MFA is delivered, and requires planning for any users who still depend on telecom-based authentication.

What’s new

Passkeys become the default

  • Starting September 1, 2026, Microsoft will roll out passkeys as the default authentication experience in Microsoft Entra ID.
  • Users currently enabled for SMS or voice authentication will be automatically enabled for passkeys.
  • On their next MFA prompt, those users will be asked to register a passkey.

Microsoft-provided SMS and voice are being retired

  • February 1, 2027: Microsoft will end its native telecom delivery for SMS and voice authentication in Entra ID.
  • After that date, organizations that still need SMS or voice must use a supported telecom partner through the Microsoft Security Store.
  • Those organizations will be responsible for any related telecom costs.

Key support dates

  • September 18, 2026: Microsoft will publish supported providers, pricing details, and deployment guidance.
  • October 30, 2026: Admins can begin selecting and configuring a telecom provider if SMS or voice must remain in use.
  • After February 1, 2027: Users relying on SMS or voice will be required to register a passkey before signing in, with no opt-out.

Impact on administrators and users

For administrators, this means reviewing authentication method policies now and identifying users or groups still tied to SMS or voice. Organizations should also decide which passkey types best fit their environment, including synced passkeys, device-bound passkeys, Microsoft Authenticator passkeys, Windows passkeys, or FIDO2 security keys.

For end users, the biggest visible change will be a registration prompt during MFA. In most environments, passkeys should improve both security and sign-in speed, but user communication and onboarding will be important to avoid confusion.

  • Audit which users still use SMS or voice MFA.
  • Enable and test passkey deployment in Entra ID.
  • Use the registration campaign feature to drive adoption.
  • Prepare user communications about the new sign-in prompt.
  • If SMS or voice must remain for regulatory or operational reasons, evaluate telecom partner options as soon as Microsoft publishes them.

This update makes Microsoft’s direction clear: phishing-resistant authentication is becoming the standard, and Entra ID admins should begin the transition well before the 2027 cutoff.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Entra IDpasskeysMFAauthenticationsecurity

Related Posts

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.

Security

GigaWiper Malware: Microsoft Details Destructive Backdoor

Microsoft Threat Intelligence has published a deep analysis of GigaWiper, a Golang-based backdoor that combines command-and-control features with multiple destructive payloads, including disk wiping, fake ransomware, and system sabotage. The research matters because it shows attackers consolidating several malware families into a single modular implant, increasing flexibility while reducing deployment footprint.

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.