Microsoft Is Changing How You Sign In. Are You Ready?

Microsoft 365
Jackie Bilodeau

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, writing, cheering on Bay Area sports teams, and traveling near and far as much as I can. Read more about my work at CGNET here.

July 14, 2026

If your organization uses Microsoft Entra ID for authentication, an important security change is on the horizon. And it’s one worth planning for now rather than later.

Beginning September 1, 2026, Microsoft will start making passkeys the default authentication method in Microsoft Entra. A few months later, on January 28, 2027, Microsoft will officially retire its built-in SMS and voice-based multifactor authentication (MFA) services.

It may sound like just another Microsoft update, but this is actually part of a much bigger shift in how organizations protect user identities.

Why Microsoft Is Making This Change

For years, SMS text messages and phone calls have been common second factors for MFA. They were a major improvement over passwords alone—but attackers have adapted.

Today’s cybercriminals routinely use phishing sites, SIM-swapping attacks, social engineering, and other techniques to intercept or bypass text messages and voice verification. As AI-generated phishing attacks become more sophisticated, those older authentication methods simply aren’t enough.

Microsoft’s answer is passkeys.

Unlike passwords or one-time codes, passkeys use cryptographic authentication tied to a trusted device or biometric verification such as Windows Hello, Face ID, Touch ID, or a fingerprint reader. Because there isn’t a reusable password or code to steal, passkeys are dramatically more resistant to phishing attacks.

The good news? Passkeys are already included with Microsoft Entra at no additional licensing cost.

What Changes and When

Microsoft is rolling out these changes over several months.

Starting September 1, 2026:

  • Passkeys will automatically be enabled for users who currently use SMS or voice authentication.
  • Microsoft will begin prompting users during MFA sign-ins to register a passkey.
  • Organizations can temporarily defer these changes while they complete their migration planning.

By October 30, 2026:

Organizations that still need SMS or voice authentication will be able to select a third-party telecom provider through the Microsoft Security Store.

On January 28, 2027:

Microsoft’s own SMS and voice authentication services will be retired.

Organizations that still want to use text messages or voice verification must have their own supported telecom provider configured. Those that don’t could experience sign-in disruptions for users who still rely on those authentication methods.

What This Means for IT Teams

For most organizations, this isn’t simply a feature toggle.

It’s an opportunity to modernize identity security while avoiding a last-minute scramble.

Now is a good time to:

  • Review how users currently authenticate.
  • Identify employees still relying on SMS or voice MFA.
  • Begin educating users about passkeys before Microsoft starts prompting them.
  • Test passkey deployment with a pilot group.
  • Determine whether any business processes still require SMS or voice authentication.
  • If they do, plan and configure a supported telecom provider well before the January 2027 deadline.

Organizations that start early will have plenty of time to train users, test deployment, and resolve any compatibility issues before Microsoft’s retirement date arrives.

The Bigger Picture

Identity has become the primary target for today’s attackers.

That’s why Microsoft—and much of the security industry—is moving toward passwordless, phishing-resistant authentication as the new standard. Passkeys aren’t just another security feature; they’re quickly becoming the foundation of modern identity protection.

For organizations already investing in Microsoft 365 security, this change represents an important step toward reducing one of the biggest risks in cybersecurity: compromised user credentials.

How CGNET Can Help

Transitioning to passkeys doesn’t have to be disruptive—but it does require planning.

CGNET can help your organization evaluate its current authentication methods, develop a migration strategy, deploy passkeys, configure Microsoft Entra policies, and determine whether continued SMS or voice authentication is necessary. We’ll also help ensure your users are prepared before Microsoft’s deadlines arrive.

The move to phishing-resistant authentication is coming. Starting now means a smoother transition, stronger security, and fewer surprises when these changes become mandatory.

 

For forty-three years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!

 

You May Also Like…

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Translate »
Share This
Subscribe
CGNET
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.