If your organization uses Microsoft Entra ID for authentication, an important security change is on the horizon. And it’s one worth planning for now rather than later.
Beginning September 1, 2026, Microsoft will start making passkeys the default authentication method in Microsoft Entra. A few months later, on January 28, 2027, Microsoft will officially retire its built-in SMS and voice-based multifactor authentication (MFA) services.
It may sound like just another Microsoft update, but this is actually part of a much bigger shift in how organizations protect user identities.
Why Microsoft Is Making This Change
For years, SMS text messages and phone calls have been common second factors for MFA. They were a major improvement over passwords alone—but attackers have adapted.
Today’s cybercriminals routinely use phishing sites, SIM-swapping attacks, social engineering, and other techniques to intercept or bypass text messages and voice verification. As AI-generated phishing attacks become more sophisticated, those older authentication methods simply aren’t enough.
Microsoft’s answer is passkeys.
Unlike passwords or one-time codes, passkeys use cryptographic authentication tied to a trusted device or biometric verification such as Windows Hello, Face ID, Touch ID, or a fingerprint reader. Because there isn’t a reusable password or code to steal, passkeys are dramatically more resistant to phishing attacks.
The good news? Passkeys are already included with Microsoft Entra at no additional licensing cost.
What Changes and When
Microsoft is rolling out these changes over several months.
Starting September 1, 2026:
- Passkeys will automatically be enabled for users who currently use SMS or voice authentication.
- Microsoft will begin prompting users during MFA sign-ins to register a passkey.
- Organizations can temporarily defer these changes while they complete their migration planning.
By October 30, 2026:
Organizations that still need SMS or voice authentication will be able to select a third-party telecom provider through the Microsoft Security Store.
On January 28, 2027:
Microsoft’s own SMS and voice authentication services will be retired.
Organizations that still want to use text messages or voice verification must have their own supported telecom provider configured. Those that don’t could experience sign-in disruptions for users who still rely on those authentication methods.
What This Means for IT Teams
For most organizations, this isn’t simply a feature toggle.
It’s an opportunity to modernize identity security while avoiding a last-minute scramble.
Now is a good time to:
- Review how users currently authenticate.
- Identify employees still relying on SMS or voice MFA.
- Begin educating users about passkeys before Microsoft starts prompting them.
- Test passkey deployment with a pilot group.
- Determine whether any business processes still require SMS or voice authentication.
- If they do, plan and configure a supported telecom provider well before the January 2027 deadline.
Organizations that start early will have plenty of time to train users, test deployment, and resolve any compatibility issues before Microsoft’s retirement date arrives.
The Bigger Picture
Identity has become the primary target for today’s attackers.
That’s why Microsoft—and much of the security industry—is moving toward passwordless, phishing-resistant authentication as the new standard. Passkeys aren’t just another security feature; they’re quickly becoming the foundation of modern identity protection.
For organizations already investing in Microsoft 365 security, this change represents an important step toward reducing one of the biggest risks in cybersecurity: compromised user credentials.
How CGNET Can Help
Transitioning to passkeys doesn’t have to be disruptive—but it does require planning.
CGNET can help your organization evaluate its current authentication methods, develop a migration strategy, deploy passkeys, configure Microsoft Entra policies, and determine whether continued SMS or voice authentication is necessary. We’ll also help ensure your users are prepared before Microsoft’s deadlines arrive.
The move to phishing-resistant authentication is coming. Starting now means a smoother transition, stronger security, and fewer surprises when these changes become mandatory.
For forty-three years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!




0 Comments