All posts

Microsoft kills SMS login by 2027, forces passkeys on Entra

Huma ShaziaJuly 17, 2026 at 6:16 AM5 min read
Microsoft kills SMS login by 2027, forces passkeys on Entra

Key Takeaways

Passkeys Are Now the Default in Entra ID What You Need to Do Before February 2027

Microsoft kills SMS login by 2027, forces passkeys on Entra
Source: Computerworld
  • Microsoft will auto-enable passkeys for all Entra ID users starting September 1, 2026
  • SMS and voice authentication ends February 1, 2027 with no opt-out option
  • Organizations still requiring SMS must configure third-party telecom providers and cover costs themselves

Microsoft is done asking nicely. Starting September 1, 2026, the company will make passkeys the default authentication method in Entra ID, its cloud-based identity service. By February 1, 2027, SMS and voice authentication will stop working entirely. There's no opt-out.

The move puts a hard deadline on enterprise passwordless adoption. For years, passkeys have been technically available but practically ignored by most organizations. Microsoft is betting that making them mandatory will accomplish what persuasion couldn't.

Advertisement

What's the rollout timeline?

Microsoft laid out a six-month transition period with specific milestones. IT teams need to mark these dates.

September 1, 2026
All SMS or voice-enabled users auto-enrolled and prompted to register a passkey at MFA sign-in
September 18, 2026
Microsoft publishes pricing and supported telecom providers for organizations that still need SMS/voice
October 30, 2026
Enterprises must configure a third-party telecom provider through Microsoft Security Store if they require SMS/voice
February 1, 2027
Microsoft-provided SMS and voice authentication ends. Passkey registration required before sign-in.

These dates apply to public cloud-hosted Entra ID. Other cloud environments will follow a separate schedule that Microsoft hasn't announced yet.

Why is Microsoft forcing this now?

The short answer: AI made phishing too good. Attackers now automate campaigns at scale, generate convincing login pages, and harvest credentials faster than training programs can educate users.

"That shift is significant as attackers increasingly rely on AI to automate phishing campaigns, generate convincing login pages, and conduct large-scale credential theft," said Ensar Seker, CISO at SOCRadar.

Passkeys sidestep the problem entirely. They use public-key cryptography instead of shared secrets. Your device holds a private key protected by biometrics or a PIN. The service only gets the public key. There's nothing to steal, nothing to phish.

"Even highly convincing AI-generated phishing pages cannot simply trick users into handing over a passkey the way they can with passwords or one-time codes," Seker noted.

80%+
of data breaches involve compromised credentials, according to Verizon's Data Breach Investigations Report

Why haven't enterprises adopted passkeys already?

The technology works. The infrastructure doesn't. Most organizations still run legacy applications that only support passwords. Cross-platform compatibility remains inconsistent. Recovery processes aren't standardized. Shared accounts don't translate well to device-bound credentials.

Onboarding and offboarding employees with passkeys requires rethinking provisioning workflows. What happens when someone loses their phone? What about contractors who use personal devices? These operational questions have slowed adoption more than technical limitations.

"Until recently, many organizations viewed passkeys as a consumer technology rather than an enterprise identity strategy," Seker said.

Microsoft's move changes the calculus. Entra ID sits at the center of identity infrastructure for millions of organizations. When the default changes, behavior follows. As Nadim Abdo, Microsoft's corporate VP for identity and network access engineering, put it: passkeys "work better for users and worse for cyberattackers."

Advertisement

What happens to organizations that still need SMS?

Some industries face regulatory requirements mandating SMS-based authentication. Others have technical constraints that make passkeys impractical for certain use cases. Microsoft isn't abandoning them, but it's shifting the cost and responsibility.

Starting October 30, 2026, organizations that need SMS or voice authentication must select a supported telecom provider through the Microsoft Security Store. They'll handle the configuration and pay the telecom costs directly. Microsoft is getting out of the SMS delivery business.

This creates a two-tier system. Organizations that fully migrate to passkeys reduce costs and complexity. Those holding onto SMS authentication take on additional operational burden and expense.

What should IT teams do now?

Eighteen months sounds like a comfortable runway. It isn't. Passkey deployment requires auditing existing applications, updating authentication flows, training users, and building recovery procedures.

  • Inventory every application that touches Entra ID and identify those that only support passwords
  • Evaluate passkey storage options: hardware security keys like YubiKey, device-bound credentials, or cloud-synced passkeys
  • Define recovery procedures for lost devices before users need them
  • Plan for shared accounts and service accounts that can't use biometric authentication
  • Budget for hardware keys if your workforce lacks corporate-managed devices

The biggest benefit, according to Seker, would be a "dramatic reduction" in credential-based attacks. Most breaches still start with stolen passwords from phishing, infostealers, or password reuse. Passkeys eliminate or significantly reduce those attack paths while cutting help desk costs from password resets.

ℹ️

Logicity's Take

Microsoft is using its market position to force an industry-wide security upgrade. That's a reasonable strategy given the threat landscape, but it creates real operational challenges for IT teams managing hybrid environments. Organizations running Azure AD alongside legacy identity providers like Okta, Ping Identity, or on-premises Active Directory need to plan carefully. The February 2027 deadline is firm. Starting passkey pilots now, rather than waiting for the auto-enrollment in September 2026, will avoid a scramble that disrupts users at the worst time.

Frequently Asked Questions

Can I opt out of Microsoft's passkey requirement?

No. After February 1, 2027, users must register a passkey before signing in to Entra ID. Organizations requiring SMS or voice must configure and pay for a third-party telecom provider.

What types of passkeys does Entra ID support?

Entra ID supports hardware security keys (like YubiKey), device-bound passkeys stored on computers or phones, and cloud-synced passkeys in your Microsoft, Apple, or Google account.

Does this affect on-premises Active Directory?

The announced timeline applies to public cloud-hosted Entra ID. On-premises Active Directory and other cloud environments will follow separate timelines that Microsoft hasn't published yet.

What happens if a user loses their device with their passkey?

Organizations need to establish recovery procedures before deployment. Options include backup passkeys on separate devices, hardware security keys, or temporary access through IT administrators.

Also Read
1Password lets Claude use logins without seeing passwords

Related: How passwordless authentication is expanding to AI agents

ℹ️

Need Help Implementing This?

Logicity covers identity and access management for IT leaders navigating enterprise security changes. Subscribe to our newsletter for deadline reminders and deployment guides as Microsoft releases additional details.

Source: Computerworld

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.