Microsoft Entra ID Will Retire SMS and Voice Authentication

speckx1 pts0 comments

Microsoft Entra ID Will Retire SMS and Voice Authentication — LazyAdmin

Skip to content

Amazon Prime Day! I have listed the best Smart Home Deals for you to expand your smart home. Read more here

-->

SMS and voice have been the fallback MFA method for years. Not because they are good, but because they always worked. Everybody has a phone, so everybody can receive a text message. That era is now ending.

Microsoft is making passkeys the default sign-in experience in Entra ID, and Microsoft-provided SMS and voice are being retired completely. The first change is already on September 1, 2026, and the final retirement is February 1, 2027. After that date, users whose only MFA method is a phone number will get a blocking prompt to register a passkey. No opt-out.

In this article

Toggle

In this article, we will look at what is changing, who is affected, the full timeline, and most importantly, how to find the users in your tenant that are still using SMS or voice.

What is Changing

There are really two changes bundled into one announcement, and it helps to keep them separate.

Passkeys become the default. Starting September 1, 2026, users that are enabled for SMS or voice will be automatically enabled for passkeys and nudged to register one when they sign in.

Microsoft-provided SMS and voice are retired. From February 1, 2027, Microsoft stops delivering the text messages and phone calls itself. If you still need a telecom channel after that date, you will have to bring your own provider through the Microsoft Security Store.

That second part is the one that surprises people. This is not "SMS is deprecated, please migrate at some point". Microsoft is getting out of the telecom business for authentication. The method still exists, but you now pay a carrier for it.

Good to know, this applies across Entra, including SSPR. If you have users resetting their password with a text message today, that flow is affected as well.

Who is Affected

You are in scope if you have users enabled for SMS or voice in the Authentication Methods Policy, or in the legacy MFA settings. Note the wording, it’s about being enabled for the method, not just having registered a phone number. If the SMS method is targeted at All users in your policy, you are in scope, even if only a handful of people actually use it.

Users that already sign in with passkeys, Windows Hello for Business, or another phishing-resistant method can keep using those methods. Nothing changes for them. But if they are still in scope of the SMS or voice policy, they can still get nudged to register a passkey.

This timeline applies to normal tenants only. Other cloud environments (GCC, GCC High, DoD) will follow later on their own schedule.

Retirement Timeline

DateWhat happensWhat you should doAugust 1, 2026API support for the temporary opt-out becomes availableOnly needed if you don’t want the September 1 changes yetSeptember 1, 2026SMS and voice users are auto-enabled for passkeys and nudged to registerNotify your users, prepare your passkey deploymentSeptember 18, 2026Telecom provider details published in the Microsoft Security StoreReview the options if you need to keep SMS or voiceOctober 30, 2026Telecom providers can be selected and configuredSet up and pilot your carrierFebruary 1, 2027Microsoft-provided SMS and voice are fully retiredEvery user must be on a phishing-resistant method by nowAfter February 1, 2027Users with only SMS or voice get a blocking passkey registration promptNothing left to do, this is enforced for all tenants

What Actually Happens on September 1

This is the part you want to understand before it happens, because a couple of settings in your tenant will change without you touching anything.

If you have users enabled for SMS or voice on September 1, 2026:

Those users are auto-enabled for passkeys in the Authentication Methods Policy. They are placed in a passkey profile that allows all passkey types, so both device-bound and synced passkeys.

Your registration campaign is set to Microsoft Managed, targeting passkeys, and these users are automatically brought into scope.

When they next sign in and complete MFA, they get the nudge to register a passkey. By default they have unlimited snoozes, with a daily reminder.

If you have been reading along with the auto-enabled passkey profiles in March 2026 change, this pattern will look familiar. Microsoft migrates your configuration for you, and the defaults may not be the defaults you would have picked.

The registration campaign change is the one I would look at closely. If you are currently running a campaign that points users to the Microsoft Authenticator app, it will start pointing them at passkeys instead, for a broader group of users. That is not necessarily wrong, but you want to know about it before your helpdesk finds out.

Note

There is a temporary opt-out for the September 1 through February 1 changes. It lets you delay the passkey and registration campaign enablement...

users voice microsoft passkeys passkey enabled

Related Articles