Microsoft Entra ID authentication overhaul to start in September 2026

Microsoft will begin rolling out passkeys as the default authentication experience for Microsoft Entra ID in the public cloud on September 1, 2026. Organizations with SMS or voice authentication enabled will automatically be enabled for passkeys. The next time users complete MFA, they will be prompted to register a passkey.

Microsoft Entra passkey

Starting February 1, 2027, users who rely on SMS or voice for MFA will be required to register a passkey before they can sign in. The company will also enforce automatic passkey registration prompts for all users across all tenants. Organizations will not be able to opt out.

Microsoft phases out native SMS and voice authentication

Microsoft plans to retire Microsoft-provided telecom delivery for SMS and voice authentication and will no longer offer SMS and voice as a native Microsoft Entra capability.

Organizations that require SMS or voice authentication for regulatory, technical, or business reasons will be able to select, configure, and manage supported third-party telecom providers through the Microsoft Security Store, where they will contract directly with the providers. Customers will be responsible for any telecom-related charges imposed by their chosen provider.

The company plans to share information on supported providers, deployment guidance, technical documentation, pricing, and commercial terms on September 18, 2026. Starting October 30, 2026, administrators will be able to select and configure a supported telecom provider.

“By making passkeys the default authentication experience, organizations reduce reliance on phishable authentication methods and strengthen protection against credential theft and phishing,” Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering at Microsoft, explained.

Don't miss