Skip to content
feed: live
>_ 0dayNews
microsoft

Entra ID passkeys go default in Sept; SMS/voice out Feb 1

Microsoft is auto-enrolling Entra ID SMS/voice MFA users into passkeys starting September 2026 and retiring native SMS/voice delivery on Feb 1, 2027. What to do.

Entra ID passkeys go default in Sept; SMS/voice out Feb 1
Photo: Brett Sayles / Pexels · Pexels License
fuse Marisol "Fuse" Delgado · Published · 3 min read

Microsoft’s Entra ID team announced on July 13 that passkeys will become the default multifactor method for tenants currently on SMS or voice, with rollout starting in September 2026 and Microsoft-provided SMS and voice delivery retired as a native Entra capability on February 1, 2027. BleepingComputer’s writeup has the mechanics: users currently enabled for SMS or voice authentication will be automatically enabled for passkeys, and the next MFA prompt after their tenant’s rollout window will register a passkey for them. After Feb 1, if you still need phone-based auth for a specific use case, Microsoft is pointing tenants at third-party telecom providers via the Microsoft Security Store — Redmond is out of the SMS gateway business.

This is not a surprise if you’ve been reading the room. CISA and NIST have been calling SMS a “restricted” second factor for two years, and every AiTM phishing kit shipping this quarter — Jalisco and OmegaLord, the ShinyHunters Salesforce chain, the LastPass/Bitwarden lookalike campaign hitting inboxes right now — treats SMS/OTP as free calories. What is new is that Microsoft has now put a hard deprecation date on it inside the largest workforce identity platform on the planet, and set the default state so admins who do nothing still land on phishing-resistant auth. That last bit matters more than the calendar: most tenants don’t move until the default moves.

Do not read “auto-enrolled into passkeys” as “done.” The rollout only clears users who register a passkey when prompted. Everyone who dismisses the prompt, whose device can’t attest a platform authenticator, whose mobile MDM blocks the Authenticator passkey flow, or who is on a shared/kiosk endpoint with no passkey path — those users will still be sitting on SMS or voice when Feb 1 hits, and at that point the native path is gone. If the tenant hasn’t stood up an alternative (FIDO2 security keys, Windows Hello for Business, Authenticator device-bound passkeys) before then, those accounts get locked out of MFA the day the retirement lands, not gracefully migrated.

What to actually do — this is a six-month program, not a September problem:

  1. Run Microsoft’s Entra SMS/Voice Usage Analyzer against your tenant this week. It’s the read-only PowerShell script Microsoft shipped alongside the announcement — it enumerates every account still authenticating via SMS or voice so you know your actual exposure surface, not your assumed one. Break the output by group: privileged/admin roles, standard workforce, service and break-glass accounts, guest/B2B.
  2. For privileged roles: enforce FIDO2 hardware keys or Windows Hello for Business now, not in January. Passkeys-via-Authenticator is fine for standard workforce but not the right posture for global admins or PIM-eligible accounts. If a Microsoft global admin is still on SMS in July 2026, that is the finding, escalate accordingly.
  3. For workforce users on managed devices: turn on the phishing-resistant passwordless deployment path and let Microsoft’s rollout do the heavy lift. Test the Authenticator passkey registration flow against your Conditional Access policies and your MDM baselines in a pilot ring first — Conditional Access rules that key on legacy MFA claim types will need reviewing.
  4. Guest/B2B and unmanaged endpoints are where you’ll bleed help-desk tickets. Inventory guest accounts still using SMS, decide per business relationship whether to re-invite as B2B direct connect (passkey-capable) or plan a phone-provider fallback via the Security Store — and price the fallback into your FY27 budget now if you take that route.
  5. Break-glass accounts stay hardware-key. Don’t get clever. Two keys, physically split, tested quarterly, documented.

Priority call: run the usage analyzer this week, close the privileged-account gap by end of August, land the workforce rollout inside Microsoft’s September–December window, and treat any account still on SMS in January 2027 as an active P1. Do not wait for Feb 1 to force the schedule — the outage risk on the retirement date is real, and it lands the same week most orgs are running skeleton crews after New Year’s. Bring it inside the fiscal year while you have staff and change windows.

For context on why the phone-based factor is worth killing at all, our Forg365 PhaaS writeup walks the AiTM economics, and the OAuth client ID spoofing piece from Proofpoint covers the sign-in-log blind spots that make SMS-second-factor account takeovers hard to catch after the fact — both of which passkey-bound auth actually addresses at the protocol layer, not just at the “user should have known better” layer.

Found this useful? Share it.