Microsoft Entra ID Passkeys Default Rollout Dates
Summary
Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.
Introduction
Microsoft is accelerating its move to phishing-resistant authentication in Entra ID. As AI-driven phishing and identity attacks become more effective, Microsoft is making passkeys the default sign-in experience to reduce dependence on weaker methods like SMS and voice.
For IT teams, this is more than a user experience update. It introduces a firm migration timeline, changes how MFA is delivered, and requires planning for any users who still depend on telecom-based authentication.
What’s new
Passkeys become the default
- Starting September 1, 2026, Microsoft will roll out passkeys as the default authentication experience in Microsoft Entra ID.
- Users currently enabled for SMS or voice authentication will be automatically enabled for passkeys.
- On their next MFA prompt, those users will be asked to register a passkey.
Microsoft-provided SMS and voice are being retired
- February 1, 2027: Microsoft will end its native telecom delivery for SMS and voice authentication in Entra ID.
- After that date, organizations that still need SMS or voice must use a supported telecom partner through the Microsoft Security Store.
- Those organizations will be responsible for any related telecom costs.
Key support dates
- September 18, 2026: Microsoft will publish supported providers, pricing details, and deployment guidance.
- October 30, 2026: Admins can begin selecting and configuring a telecom provider if SMS or voice must remain in use.
- After February 1, 2027: Users relying on SMS or voice will be required to register a passkey before signing in, with no opt-out.
Impact on administrators and users
For administrators, this means reviewing authentication method policies now and identifying users or groups still tied to SMS or voice. Organizations should also decide which passkey types best fit their environment, including synced passkeys, device-bound passkeys, Microsoft Authenticator passkeys, Windows passkeys, or FIDO2 security keys.
For end users, the biggest visible change will be a registration prompt during MFA. In most environments, passkeys should improve both security and sign-in speed, but user communication and onboarding will be important to avoid confusion.
Recommended next steps
- Audit which users still use SMS or voice MFA.
- Enable and test passkey deployment in Entra ID.
- Use the registration campaign feature to drive adoption.
- Prepare user communications about the new sign-in prompt.
- If SMS or voice must remain for regulatory or operational reasons, evaluate telecom partner options as soon as Microsoft publishes them.
This update makes Microsoft’s direction clear: phishing-resistant authentication is becoming the standard, and Entra ID admins should begin the transition well before the 2027 cutoff.
Need help with Security?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies