ProBackend
access management iam security
3 hours ago6 min read

Passkeys Will Become the Default Authentication Method for Entra ID — Here's What Changes

Microsoft announces that passkeys will become the default authentication method for Entra ID enterprise identity starting September 2026, with SMS and voice authentication fully retired by February 2027. What security teams need to know about the migration timeline, admin tooling, and why AI-driven phishing makes this urgent.

Microsoft just made a decision that's going to ripple through every Microsoft 365 tenant on the planet. Starting in September 2026, passkeys become the default authentication method for Entra ID — and SMS or voice-based multi-factor authentication gets retired entirely by February 1, 2027. No extensions. No opt-outs for the standard telecom path.

If your org still relies on phone-based second factors, you've got roughly six months to get users onto something phishing-resistant. That's not a lot of runway when you consider how many enterprises still have legacy users, contractors, and third-party vendors stuck on SMS codes.

The good news? Microsoft is handling the migration server-side. Affected users get passkeys enabled automatically, and on their next MFA prompt they'll be asked to register a passkey. No manual provisioning from your help desk. The bad news? If someone doesn't complete that registration, they're locked out when February hits.

What Passkeys Default to Entra ID Actually Means

Here's the mechanics of it. When the rollout reaches your organization, every user currently enabled for SMS or voice authentication gets passkeys turned on behind the scenes. The next time they hit MFA, they're prompted to register a passkey on their device — the same flow you'd see if someone set up Windows Hello for Business or a FIDO2 key.

Users already signing in with passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or any other phishing-resistant method? They're unaffected. The transition is invisible to them.

This matters because it's not a forced migration in the traditional sense. Microsoft isn't ripping out SMS overnight and leaving users stranded. There's a grace period built into the September rollout where affected accounts get nudged toward passkey registration through their normal sign-in experience. But the clock is ticking — and when February 1, 2027 arrives, Microsoft-provided telecom delivery for SMS and voice authentication disappears completely. No native Entra capability. Period.

Organizations that absolutely must keep phone-based authentication for compliance or operational reasons will need to configure third-party telecom providers through the Microsoft Security Store. That's a real option, but it adds complexity and ongoing vendor management to an identity stack that most teams are already stretched thin on.

What Passkeys Default to Entra ID Actually Means

The Timeline: Six Months to Fix What You Can

The two-phase rollout is straightforward on paper:

September 2026. Passkeys become the default authentication method. Users on SMS or voice get passkeys enabled and prompted to register at next MFA.

February 1, 2027. Microsoft retires telecom delivery for SMS and voice authentication entirely. These methods are no longer offered as a native Entra ID capability.

Between those two dates, the onus is on administrators to ensure every user is using a phishing-resistant method. Miss that window and you'll have users unable to sign in — not because of a breach, but because the authentication path they depended on simply no longer exists.

I'd recommend treating this as a priority identity project, not a background task. Audit your user base now. Run the PowerShell scanner. Identify who's still on SMS or voice. Communicate with those users before September hits so they're not surprised by the prompt.

The organizations that will struggle most are those with large contractor populations, field workers on basic phones, or legacy systems that haven't been modernized. Those are the edge cases where third-party telecom configuration through the Security Store becomes necessary — and honestly, it's a sign that the identity architecture needs a deeper review regardless.

The Timeline: Six Months to Fix What You Can

Admin Tooling: Finding Affected Users Before the Rollout Hits

Microsoft has given admins a clear path to identify who's affected. If you hold the global reader, Authentication policy administrator, or Security reader roles, you can run the Entra SMS/Voice Policy Scanner PowerShell script to pull a list of users currently relying on phone-based authentication.

That script is your starting point. Run it today, not next month. The output tells you exactly who needs to be engaged before the September transition.

For organizations that must retain phone-based authentication for legitimate reasons — regulatory requirements, user population constraints, whatever the case is — the path forward goes through the Microsoft Security Store. You'll configure a third-party telecom provider there, and that provider handles SMS or voice delivery outside of Microsoft's native infrastructure. It works, but it's an add-on, not a first-class feature. Don't treat it as the default fallback.

Microsoft also maintains dedicated documentation on deploying and managing Entra ID phishing-resistant passwordless authentication. It's worth bookmarking — the step-by-step guidance covers everything from policy configuration to user enrollment flows.

Why Microsoft Is Pushing This Now: AI-Driven Phishing Has Changed the Math

Here's where it gets interesting. Microsoft isn't making this move in a vacuum. The threat landscape has shifted dramatically, and AI-enabled phishing campaigns are the catalyst.

Microsoft Threat Intelligence has observed AI-powered phishing reaching click-through rates as high as 54%. Traditional campaigns hover around 12%. That's a four-to-one gap. When attackers can generate near-perfect phishing content at scale, the old assumption that "a second factor saves you" stops holding water. SMS codes and voice calls are phishable — they can be intercepted, socially engineered, or relayed in real time through man-in-the-middle attacks.

The ShinyHunters extortion gang has been particularly aggressive here, targeting Microsoft Entra single sign-on accounts in a recent wave of SaaS data-theft attacks using stolen credentials. These aren't script-kiddie operations. They're organized criminal groups with the patience and technical capability to sit on compromised Entra SSO sessions and extract data over weeks or months.

By making passkeys the default, Microsoft is removing the weakest link from the authentication chain. Passkeys are phishing-resistant by design — they're bound to a specific domain, use cryptographic key pairs, and can't be phished the way SMS codes or passwords can. It's not a perfect solution, but it's dramatically better than what most enterprises are running today.

The math is simple: when AI-driven phishing achieves 54% click-through rates, relying on phishable second factors isn't a security strategy. It's a liability.

What This Means for Enterprise Security Teams

The practical impact falls into three buckets: audit, communicate, and prepare.

Audit. Run the Entra SMS/Voice Policy Scanner now. Get a complete picture of who's affected in your tenant. Don't rely on estimates or partial reports — the script gives you the authoritative list.

Communicate. Tell your users what's coming. Send a notice before September that explains the transition, why it's happening (AI phishing is real and the numbers are brutal), and what they need to do on their next sign-in. Users who feel informed cooperate. Users who are blindsided panic.

Prepare. For the edge cases — users on basic phones, legacy systems, compliance-mandated phone auth — start evaluating third-party telecom providers through the Security Store now. Don't wait until February to figure out how you're going to handle them.

This is also a good moment to review your broader identity architecture. If you're still running SMS as a primary MFA method in 2026, that's a signal that your security posture needs attention beyond just this one change. Passkeys are the direction Microsoft is heading, and every other major identity provider is following suit.

The organizations that treat this as a checkbox exercise will end up with frustrated users and broken authentication flows. The ones that use it as a catalyst for a broader phishing-resistant identity strategy will come out stronger on the other side.

More blogs