
Microsoft Entra ID will make passkeys the default authentication method
Microsoft will make passkeys the default in Entra ID and phase out native SMS and voice authentication delivery in 2027.
Microsoft is preparing a major change to how organizations using Microsoft Entra ID handle multifactor authentication: passkeys will become the default sign-in recovery path for users who still rely on SMS or voice codes. The company said the rollout starts September 1, 2026, when users enabled for those older methods will be automatically enabled for passkeys and prompted to register one the next time they complete multifactor authentication.
The move is meant to push enterprise identity systems away from methods that attackers can intercept, relay, or socially engineer. Microsoft framed the change as a response to faster phishing operations and credential theft, saying passkeys use public-key cryptography instead of shared secrets and are therefore designed to resist phishing. For administrators, the practical message is that SMS and voice are moving from built-in defaults toward exceptions that need explicit planning.
What changes for Entra tenants
The timeline gives customers several milestones. Microsoft says it will share supported telecom providers, deployment guidance, and commercial details through the Microsoft Security Store on September 18, 2026. Starting October 30, 2026, organizations that still need SMS or voice authentication for regulatory, technical, or operational reasons will be able to configure a supported third-party telecom provider through that store.
The larger deadline arrives February 1, 2027, when Microsoft-provided telecom delivery for SMS and voice authentication is set to end for Entra ID in the public cloud. After that point, users who still depend on those methods will be required to register a passkey before they can sign in, and Microsoft says the registration prompts will be enforced across tenants without an opt-out.
Why it matters
Passkeys can be synced through platform credential managers such as iCloud Keychain or Google Password Manager, or they can be device-bound through Microsoft Authenticator, Entra passkeys on Windows, or FIDO2 security keys. That flexibility should help large organizations match authentication options to different employee devices and risk profiles, but it also creates near-term work for identity teams.
Admins now have a defined window to identify users still enabled for SMS or voice, update authentication method policies, run pilot deployments, and prepare user communications. The change does not mean every organization must abandon telecom-based authentication immediately, but it does make clear that Microsoft wants phishing-resistant methods to become the normal path for Entra ID rather than a higher-security add-on.
Sources
Cover photo by panumas nikhomkhai on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment