Microsoft Entra ID Retires Passwords and SMS Codes

Overview

Microsoft has announced a landmark change in Entra ID authentication, retiring phishable SMS and voice‑based MFA methods and making passkeys the default sign‑in method starting September 1, 2026. This shift comes in response to a surge in AI‑enabled phishing campaigns, which Microsoft Threat Intelligence reports are achieving click‑through rates of 54%, far higher than traditional phishing attempts.

Rollout Timeline

Microsoft’s rollout plan includes several milestones:

  • September 1, 2026 — Auto‑enablement begins; SMS/voice users are nudged to register passkeys during MFA sign‑in.
  • September 18, 2026 — Pricing, commercial terms, and supported telecom provider lists published via the Microsoft Security Store.
  • October 30, 2026 — Admins can configure third‑party telecom providers if SMS/voice remains a regulatory necessity.
  • February 1, 2027 — Microsoft ends native SMS/voice authentication delivery.
  • Post‑February 2027 — Passkey registration prompts become mandatory for all users with no opt‑out.

Why Passkeys?

Passkeys rely on public‑key cryptography rather than shared secrets, making them phishing‑resistant. Unlike SMS or voice codes, which attackers can intercept via SIM swapping or social engineering, passkeys bind authentication to trusted devices or credential managers.

Microsoft highlights that AI‑powered attackers can now automate discovery, privilege escalation, and lateral movement far faster once they compromise a phishable credential — elevating the urgency of eliminating weak second factors.

Internally, Microsoft reports 99.6% phishing‑resistant authentication coverage across its own users and devices.

Deployment Options

Entra ID supports both:

  • Synced passkeys — stored in platform credential managers like iCloud Keychain and Google Password Manager.
  • Device‑bound passkeys — via Microsoft Authenticator, Entra passkey on Windows, or FIDO2 security keys.

This flexibility allows organizations to tailor deployment to user devices and workflows.

Regulatory Drivers

Analysts note that EU NIS2 compliance requirements are accelerating adoption. Despite passkeys being available for over a year, voluntary uptake stalled — prompting Microsoft to enforce passwordless authentication as default.

Organizations with legitimate regulatory or technical needs to retain SMS/voice can contract directly with supported telecom carriers through the Microsoft Security Store starting October 30, 2026, though they will bear the associated costs.

Recommended Actions for Organizations

Microsoft urges immediate preparation:

  • Audit authentication policies to identify groups still relying on SMS/voice MFA.
  • Enable passkey support and choose synced or device‑bound types.
  • Use registration campaigns to drive adoption at scale.
  • Communicate proactively with users about upcoming prompts and changes.
  • Pilot telecom provider configurations if SMS/voice remains necessary.

Note: Government cloud environments (GCC, GCC High, DoD) will follow separate timelines.

Expert in the Cloud Insight

This move signals the end of passwords and phishable MFA in Microsoft’s ecosystem. By enforcing passkeys, Microsoft is not just responding to AI‑driven phishing but reshaping authentication standards globally.

For enterprises, the lesson is clear: prepare now, audit policies, and educate users. Waiting until February 2027 risks disruption — proactive adoption ensures resilience against evolving threats.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.