Managing the Transition from SMS and Voice to Passkeys: What the Microsoft Deadline Means for Your Organization
Microsoft has announced the retirement of its natively provided Short Message Service (SMS) and 2026-7-16 16:9:25 Author: www.guidepointsecurity.com(查看原文) 阅读量:1 收藏

Microsoft has announced the retirement of its natively provided Short Message Service (SMS) and voice Multi-Factor Authentication (MFA) delivery in Microsoft Entra ID, with full enforcement beginning February 1, 2027. For many organizations, SMS-based MFA has been a default and often unexamined, part of their authentication stack for years. That is about to change.

What is the Potential Impact of This Change?

Authentication changes tend to create operational urgency and this one is no exception. The most common reaction to an announcement like this is, “What exactly is Microsoft turning off?”

But the more important question is, “What does this change mean for our users and are we ready to handle it?”

This is where many organizations will get caught flat-footed. Retiring SMS and voice is not just a policy update. It has real implications for user experience, help desk volume, compliance posture and your ability to meet phishing-resistant authentication requirements if those are part of your regulatory framework. Organizations should use this window to evaluate not only authentication methods, but also identity governance processes, conditional access policies, privileged access controls and overall Entra ID security posture. 

What Is The Timeline and Process for the Transition from SMS and Voice to Passkeys?

The timeline for transitioning from SMS and voice to passkey authentication follows a three-phase process that starts now and ends early 2027:

  • September 1, 2026: Users still enabled for SMS or voice in the Entra Authentication Methods Policy will be automatically enabled for passkeys. Microsoft’s Registration Campaign will also be set to Microsoft Managed state for these users, prompting them to register a passkey the next time they complete MFA. By default, users can snooze this prompt indefinitely, but the clock is ticking.
  •  February 1, 2027: Microsoft-provided SMS and voice delivery will be fully retired in Entra ID. Any user whose only available MFA method is SMS or voice will receive a blocking passkey registration prompt. They cannot sign in until they register a passkey.
  • After February 1, 2027: There is no opt-out for passkey authentication. This enforcement applies to every tenant, regardless of size or industry.

Exceptions to the Timeline

Organizations that operate in regulated industries or have a legitimate operational need for SMS or voice will have an option to continue using these services: beginning October 30, 2026, Microsoft will allow customers to select a third-party telecom provider through the Microsoft Security Store. However, this path comes with additional cost, carrier evaluation and contractual setup. It is intended for edge cases, not the general user population.

Why the Shift to Passkey Authentication?

The short answer is security. SMS and voice authentication are among the weakest MFA methods in use today. They are vulnerable to SIM-swapping, phishing and real-time interception attacks. Passkeys, by contrast, use cryptographic keys tied to a specific device or credential manager. They cannot be intercepted, replayed or transferred to an attacker, making them significantly more resilient against the credential-based attacks that drive a large percentage of account compromises.

This move to phishing-resistant posture reflects where the broader industry is heading. This is consistent with CISA guidance, the NIST 800-63 update cycle and the increased regulatory focus on phishing-resistant authentication across frameworks like FedRAMP and CMMC.

Ensure a Smooth Transition by Starting Now

Like any major platform change, this announcement creates a natural inflection point. The organizations that handle this transition smoothly will be the ones that start early. This window between now and February is crucial for assessment. Organizations should consider which identities require the highest level of protection. Privileged administrators, service owners and high-risk users should be prioritized during planning because authentication weaknesses in these accounts can have a disproportionate impact. However, every identity that uses SMS or voice MFA will have to migrate by the cutoff date.

You can start by asking and answering these four questions:

  • Who is still using SMS or voice for MFA? Microsoft provides a PowerShell script specifically designed to identify these users. If you have not run this analysis yet, it should be the first step. Any non-zero result means you are in scope for this change.
  • What authentication methods are you currently enabling and are they consistent with your policy intent? Legacy MFA settings and Authentication Methods Policy (AMP) configurations can diverge over time, especially in organizations that have grown through mergers and acquisitions or that have accumulated technical debt in their identity environment.
  • Are your users on devices and platforms that support passkeys? Passkey registration relies on eligible devices, including Windows Hello for Business, Microsoft Authenticator, FIDO2 hardware security keys and platform credential managers like iCloud Keychain or Google Password Manager. Understanding your device estate is critical before you begin pushing registration campaigns.
  • Is your organization prepared to support a passkey rollout? Enabling passkeys in policy is not the same as successfully deploying them. Help desk readiness, user communications and staged rollout planning will determine whether this transition is smooth or disruptive.

Two Paths Forward

Microsoft is offering organizations two routes through this transition:

Path 1: Migrate to Passkeys 

For most organizations, migrating to passkeys will be the right path forward. There are no additional costs to migrate SMS and voice users to passkeys. Microsoft Authenticator, Windows Hello for Business and FIDO2 security keys all support passkey-based sign-in within Entra ID. Microsoft provides a deployment guide and Registration Campaign tooling to help drive adoption at scale.

Path 2: Configure a Third-Party Telecom Provider 

For organizations with a legitimate regulatory or operational requirement for SMS or voice Microsoft will enable a third-party telecom provider option through the Microsoft Security Store. Eligible use cases include organizations falling under certain compliance requirements, organizations using out-of-band authentication workflows and scenarios where passkey-eligible devices are not available. Details on available telecom providers, pricing and configuration will be published starting September 18, 2026, with customer selection available from October 30, 2026. This path introduces per-message costs and additional setup overhead. It is intended for specific use cases and should not be considered as a general-use alternative to passkeys.

How Can GuidePoint Security Help?

The organizations best positioned to navigate this change are those with a clear picture of their current posture and a structured plan for modernization. Successful migration requires more than enabling a new authentication method, it requires identity configurations, access policies, privileged accounts, user readiness and operational impacts. .

GuidePoint Security works with organizations at every stage of this kind of transition:

  • Identity security assessments help identify users still relying on SMS and voice, evaluate Entra ID authentication configurations, review Conditional Access policies and surface gaps in identity security posture. 
  • Engineering services assist in the configuration of passkey-eligible authentication policies, deployment of Registration Campaigns and implementation of Windows Hello for Business or Microsoft Authenticator at scale.
  • Advisory services help organizations determine whether a third-party telecom path is warranted given their compliance requirements and plan communications and change management for end users.

The February 1, 2027 deadline is real and it is non-negotiable for nearly all Microsoft Entra ID users. Organizations that start their evaluation now have time to assess their user population, stage their rollout and avoid the help desk spike that comes with a last-minute scramble. Organizations that wait may find themselves managing a blocking sign-in prompt for a significant portion of their workforce.

If your organization needs help assessing its identity posture, planning a passkey transition or strengthening Microsoft Entra ID security controls, GuidePoint Security can help you move from assessment to action.


文章来源: https://www.guidepointsecurity.com/blog/managing-the-transition-from-sms-and-voice-to-passkeys-microsoft-deadline/
如有侵权请联系:admin#unsafe.sh