Microsoft Entra ID gets passkeys default authentication starting September 2026
Microsoft is replacing phishable SMS and voice-based MFA with passkeys as the default sign-in method for Microsoft Entra ID in the public cloud.
Microsoft Entra ID gets passkeys default authentication starting September 2026
Microsoft is replacing phishable SMS and voice-based multifactor authentication (MFA) with passkeys as the default sign-in method for Microsoft Entra ID in the public cloud. The transition begins September 1, 2026, as part of a broader effort to modernize security and protect against credential theft.
Starting September 1, 2026, users who currently rely on SMS or voice authentication will be automatically enabled for passkeys. During their next multifactor authentication process, these users will receive a prompt to register a passkey. While users can initially snooze this prompt an unlimited number of times, the system will automatically shift these accounts into a passkey profile.
The move is a direct response to a surge in AI-driven security threats. According to Microsoft Threat Intelligence, AI-enabled phishing campaigns have achieved click-through rates as high as 54%, while traditional campaigns typically see roughly 12%. Microsoft stated that AI-powered attackers can now automate privilege escalation, discovery, and lateral movement much faster once they compromise a phishable credential.
"By making passkeys the default authentication experience, organizations reduce reliance on phishable authentication methods and strengthen protection against credential theft and phishing."
Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering at Microsoft, via helpnetsecurity.com
The Timeline to Retirement
The transition follows a sequence of milestones designed to phase out legacy telephony-based methods:
- September 1, 2026: Passkeys become the default authentication experience; automatic enrollment begins for SMS and voice users.
- September 18, 2026: Microsoft will publish information regarding supported third-party telecom providers, including commercial terms and pricing.
- October 30, 2026: Administrators can begin selecting and configuring supported third-party telecom providers through the Microsoft Security Store.
- February 1, 2027: Microsoft retires its native telecom delivery for SMS and voice authentication across all tenants.
Following the February 1, 2027 deadline, any user whose only available MFA method is SMS or voice will encounter a blocking registration prompt. They will be unable to sign in until they register a passkey. Microsoft has stated there is no opt-out for this specific enforcement.
Phishing Resistance and Implementation
Passkeys utilize public-key cryptography rather than shared secrets, which protects against replay attacks, SIM-swapping, and social engineering. Entra ID supports two types of passkeys: device-bound passkeys, such as those used by FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator; and synced passkeys, which are stored in credential managers like Google Password Manager and iCloud Keychain.
Users already utilizing phishing-resistant methods — including smart cards, FIDO2 keys, or Windows Hello for Business — may continue using them. Internally, Microsoft claims it has reached phishing-resistant authentication coverage for 99.6% of its own devices and users.
The retirement of native SMS and voice also extends to self-service password reset (SSPR) capabilities. To avoid sign-in disruptions, Microsoft recommends that organizations identify at-risk users via the Entra SMS/Voice Policy Scanner PowerShell script. This script requires administrators to hold a Security Reader, Authentication Policy Administrator, or Global Reader role.
Alternative Options and Constraints
For organizations with specific operational or regulatory requirements, such as EU NIS2 compliance or specific out-of-band SMS mandates, Microsoft will allow the use of customer-managed telecom providers. These third-party providers must be configured through the Microsoft Security Store, and organizations will be responsible for all associated per-message telecom costs. In contrast, migrating users to passkeys incurs no additional cost as they are included in all Entra plans.
While a temporary opt-out for the September 1, 2026 automatic enrollment will be available via API starting August 1, 2026, it only delays the transition. It does not exempt tenants from the February 2027 native retirement.
This rollout schedule applies exclusively to public cloud environments. Separate timelines for government cloud environments, including DoD, GCC High, and GCC, will be announced at a later date. Microsoft also plans to introduce a future capability allowing users who authenticate via passwordless sign-in to change their passwords.