Key Takeaways
Passkeys Are Now the Default in Entra ID What You Need to Do Before February 2027

- Microsoft will auto-enable passkeys for all Entra ID users starting September 1, 2026
- SMS and voice authentication ends February 1, 2027 with no opt-out option
- Organizations still requiring SMS must configure third-party telecom providers and cover costs themselves
Microsoft is done asking nicely. Starting September 1, 2026, the company will make passkeys the default authentication method in Entra ID, its cloud-based identity service. By February 1, 2027, SMS and voice authentication will stop working entirely. There's no opt-out.
The move puts a hard deadline on enterprise passwordless adoption. For years, passkeys have been technically available but practically ignored by most organizations. Microsoft is betting that making them mandatory will accomplish what persuasion couldn't.
What's the rollout timeline?
Microsoft laid out a six-month transition period with specific milestones. IT teams need to mark these dates.
These dates apply to public cloud-hosted Entra ID. Other cloud environments will follow a separate schedule that Microsoft hasn't announced yet.
Why is Microsoft forcing this now?
The short answer: AI made phishing too good. Attackers now automate campaigns at scale, generate convincing login pages, and harvest credentials faster than training programs can educate users.
"That shift is significant as attackers increasingly rely on AI to automate phishing campaigns, generate convincing login pages, and conduct large-scale credential theft," said Ensar Seker, CISO at SOCRadar.
Passkeys sidestep the problem entirely. They use public-key cryptography instead of shared secrets. Your device holds a private key protected by biometrics or a PIN. The service only gets the public key. There's nothing to steal, nothing to phish.
"Even highly convincing AI-generated phishing pages cannot simply trick users into handing over a passkey the way they can with passwords or one-time codes," Seker noted.
Why haven't enterprises adopted passkeys already?
The technology works. The infrastructure doesn't. Most organizations still run legacy applications that only support passwords. Cross-platform compatibility remains inconsistent. Recovery processes aren't standardized. Shared accounts don't translate well to device-bound credentials.
Onboarding and offboarding employees with passkeys requires rethinking provisioning workflows. What happens when someone loses their phone? What about contractors who use personal devices? These operational questions have slowed adoption more than technical limitations.
"Until recently, many organizations viewed passkeys as a consumer technology rather than an enterprise identity strategy," Seker said.
Microsoft's move changes the calculus. Entra ID sits at the center of identity infrastructure for millions of organizations. When the default changes, behavior follows. As Nadim Abdo, Microsoft's corporate VP for identity and network access engineering, put it: passkeys "work better for users and worse for cyberattackers."
What happens to organizations that still need SMS?
Some industries face regulatory requirements mandating SMS-based authentication. Others have technical constraints that make passkeys impractical for certain use cases. Microsoft isn't abandoning them, but it's shifting the cost and responsibility.
Starting October 30, 2026, organizations that need SMS or voice authentication must select a supported telecom provider through the Microsoft Security Store. They'll handle the configuration and pay the telecom costs directly. Microsoft is getting out of the SMS delivery business.
This creates a two-tier system. Organizations that fully migrate to passkeys reduce costs and complexity. Those holding onto SMS authentication take on additional operational burden and expense.
What should IT teams do now?
Eighteen months sounds like a comfortable runway. It isn't. Passkey deployment requires auditing existing applications, updating authentication flows, training users, and building recovery procedures.
- Inventory every application that touches Entra ID and identify those that only support passwords
- Evaluate passkey storage options: hardware security keys like YubiKey, device-bound credentials, or cloud-synced passkeys
- Define recovery procedures for lost devices before users need them
- Plan for shared accounts and service accounts that can't use biometric authentication
- Budget for hardware keys if your workforce lacks corporate-managed devices
The biggest benefit, according to Seker, would be a "dramatic reduction" in credential-based attacks. Most breaches still start with stolen passwords from phishing, infostealers, or password reuse. Passkeys eliminate or significantly reduce those attack paths while cutting help desk costs from password resets.
Logicity's Take
Microsoft is using its market position to force an industry-wide security upgrade. That's a reasonable strategy given the threat landscape, but it creates real operational challenges for IT teams managing hybrid environments. Organizations running Azure AD alongside legacy identity providers like Okta, Ping Identity, or on-premises Active Directory need to plan carefully. The February 2027 deadline is firm. Starting passkey pilots now, rather than waiting for the auto-enrollment in September 2026, will avoid a scramble that disrupts users at the worst time.
Frequently Asked Questions
Can I opt out of Microsoft's passkey requirement?
No. After February 1, 2027, users must register a passkey before signing in to Entra ID. Organizations requiring SMS or voice must configure and pay for a third-party telecom provider.
What types of passkeys does Entra ID support?
Entra ID supports hardware security keys (like YubiKey), device-bound passkeys stored on computers or phones, and cloud-synced passkeys in your Microsoft, Apple, or Google account.
Does this affect on-premises Active Directory?
The announced timeline applies to public cloud-hosted Entra ID. On-premises Active Directory and other cloud environments will follow separate timelines that Microsoft hasn't published yet.
What happens if a user loses their device with their passkey?
Organizations need to establish recovery procedures before deployment. Options include backup passkeys on separate devices, hardware security keys, or temporary access through IT administrators.
Related: How passwordless authentication is expanding to AI agents
Need Help Implementing This?
Logicity covers identity and access management for IT leaders navigating enterprise security changes. Subscribe to our newsletter for deadline reminders and deployment guides as Microsoft releases additional details.
Source: Computerworld
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.





