Advertisement
Security

Microsoft Mandates Passkeys for Entra ID

Microsoft is transitioning Entra ID to default passkey authentication, effectively sunsetting SMS and voice methods by early 2027.

··2 hours ago·2 min read
black and red steering wheel
Photo by FlyD on Unsplash
Advertisement

The landscape of enterprise identity security is undergoing a significant transformation as Microsoft prepares to phase out legacy multifactor authentication (MFA) protocols. By shifting the default authentication standard for Entra ID, the company aims to curb the efficacy of common credential-harvesting tactics that have long plagued corporate environments.

The Transition Toward Phishing Resistance

Beginning in September 2026, Microsoft will initiate a mandatory rollout of passkeys as the primary authentication method for Entra ID users. This change specifically targets those currently relying on phone-based SMS or voice authentication. Users who already utilize FIDO2 security keys, Windows Hello for Business, or smart cards will remain unaffected by this shift, as their current workflows already align with the company's push toward phishing-resistant standards.

The shift is not merely a policy update but a forced migration. As the rollout progresses across individual organizations, users will be prompted to register a passkey during their next MFA challenge. This transition marks the end of an era for telephony-based verification within Microsoft’s ecosystem, culminating in the total retirement of native SMS and voice capabilities by February 1, 2027.

Technical Implications for Administrators

For IT departments and security teams, the clock is ticking to identify legacy dependencies before the transition causes widespread sign-in disruptions. Admins holding roles such as Authentication policy administrator or Security reader can audit their user base using the the Entra SMS/Voice Policy Scanner PowerShell script. Should an organization find it absolutely necessary to continue using phone-based methods beyond the cutoff, they will be required to integrate third-party telecom providers via the Microsoft Security Store.

As the rollout reaches each organization, users enabled for SMS or voice authentication will automatically be enabled for passkeys, and the next time they perform multifactor authentication, they'll be prompted to register a passkey.

— Microsoft, official announcement regarding the Entra ID authentication update.

Quantifiable Security Risks

Microsoft’s decision to sunset these legacy methods is rooted in empirical data highlighting the increased sophistication of modern identity attacks:

  • 54% click-through rate observed in AI-enabled phishing campaigns.
  • 12% click-through rate observed in traditional, non-AI phishing campaigns.
  • February 1, 2027 is the official retirement date for Microsoft-provided telecom delivery.
  • 570 flaws and 3 zero-days were addressed in the July 2026 Patch Tuesday update, illustrating the scale of active threats.

Securing the Corporate Perimeter

The urgency behind this update is underscored by the reality that identity systems are heavily targeted by sophisticated threat actors. Groups like ShinyHunters have demonstrated that using stolen credentials to bypass SSO protections is a viable path for large-scale data theft. By this dedicated documentation page, administrators can find resources to manage this shift. For organizations, the mandate serves as a clear signal: relying on phishable second factors is no longer an acceptable risk posture in an era where AI-augmented social engineering is reaching record-breaking success rates.

#microsoft#entra id#passkeys#cybersecurity#authentication

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement