What Microsoft is changing and when
Beginning in September 2026, Microsoft will make passkeys the default authentication method for Entra ID, its enterprise identity service. The company plans a phased rollout: users who currently rely on phone-based SMS and voice authentication will be automatically transitioned to passkeys. Microsoft has set a hard retirement date for its telecom delivery of SMS and voice authentication — February 1, 2027 — after which SMS and voice will no longer be offered as native Microsoft Entra capabilities.
Which sign-in methods continue, and which are retired
Organizations and users already authenticating with phishing-resistant methods will not be forced to change. Microsoft said users who sign in with passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or "any other phishing-resistant method" will be allowed to continue using those methods. By contrast, Microsoft-provided SMS and voice authentication will be withdrawn as a native option on February 1, 2027.
Operational steps admins can take now
Microsoft advises administrators to ensure all accounts use a phishing-resistant method before the retirement date to avoid sign-in disruptions, because users who remain on SMS or voice will be unable to complete multifactor authentication after that date. Admins who hold the global reader, Authentication policy administrator, or Security reader roles can locate users still relying on phone-based authentication by running the Entra SMS/Voice Policy Scanner PowerShell script.
For organizations that remain required to use telephony-based authentication, Microsoft directs them to configure third-party telecom providers via the Microsoft Security Store. The company also offers step‑by‑step guidance on deploying and managing Entra ID phishing-resistant passwordless authentication on a dedicated documentation page.
How Microsoft frames the security case
Microsoft links the change directly to rising phishing risk. Citing Microsoft Threat Intelligence, the company says AI-enabled phishing campaigns have achieved click-through rates "as high as 54%, compared with roughly 12% for more traditional campaigns," and that stolen passwords and phishable second factors therefore represent an "urgent risk."
Microsoft argued that "by making passkeys the default authentication experience, organizations reduce reliance on phishable authentication methods and strengthen protection against credential theft and phishing." The company also advised organizations to move away from telephony-based authentication methods to block identity attacks and improve account security using stolen credentials.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Run the Entra SMS/Voice Policy Scanner PowerShell script to inventory who still uses SMS or voice authentication, and prioritize rollouts of passkeys or other phishing-resistant methods to avoid disruption after February 1, 2027.
- Procurement leaders and IT operations: If regulatory or operational constraints require phone-based authentication, plan to contract third-party telecom providers through the Microsoft Security Store and validate those configurations well ahead of the retirement date.
- End users and account holders: Expect to be prompted to register a passkey the next time you perform multifactor authentication if your account currently relies on SMS or voice; users already on passkeys, Windows Hello for Business, FIDO2 keys, smart cards, or similar methods will continue unchanged.
Closing observation
Microsoft's timetable converts a strategic preference into a calendar-driven change: passkeys default in September 2026, and Microsoft-provided SMS and voice are retired on February 1, 2027. The company has provided tooling — the Entra SMS/Voice Policy Scanner — documentation, and a migration path that includes third-party telecom options for those who cannot immediately abandon phone-based authentication. Organizations that do not act risk sign-in outages; those that do will be adopting methods Microsoft says will blunt a rising tide of AI-enabled phishing attacks.



