
Microsoft has announced the retirement of its natively provided Short Message Service (SMS) and voice Multi-Factor Authentication (MFA) delivery in Microsoft Entra ID, with full enforcement beginning February 1, 2027. For many organizations, SMS-based MFA has been a default and often unexamined, part of their authentication stack for years. That is about to change.
TL;DR – Starting February 1, 2027, Microsoft will no longer provide native telecom delivery for SMS and voice authentication for Microsoft Entra ID. Passkeys will become the default phishing-resistant authentication experience.
Authentication changes tend to create operational urgency and this one is no exception. The most common reaction to an announcement like this is, “What exactly is Microsoft turning off?”
But the more important question is, “What does this change mean for our users and are we ready to handle it?”
This is where many organizations will get caught flat-footed. Retiring SMS and voice is not just a policy update. It has real implications for user experience, help desk volume, compliance posture and your ability to meet phishing-resistant authentication requirements if those are part of your regulatory framework. Organizations should use this window to evaluate not only authentication methods, but also identity governance processes, conditional access policies, privileged access controls and overall Entra ID security posture.
The timeline for transitioning from SMS and voice to passkey authentication follows a three-phase process that starts now and ends early 2027:
Organizations that operate in regulated industries or have a legitimate operational need for SMS or voice will have an option to continue using these services: beginning October 30, 2026, Microsoft will allow customers to select a third-party telecom provider through the Microsoft Security Store. However, this path comes with additional cost, carrier evaluation and contractual setup. It is intended for edge cases, not the general user population.
The short answer is security. SMS and voice authentication are among the weakest MFA methods in use today. They are vulnerable to SIM-swapping, phishing and real-time interception attacks. Passkeys, by contrast, use cryptographic keys tied to a specific device or credential manager. They cannot be intercepted, replayed or transferred to an attacker, making them significantly more resilient against the credential-based attacks that drive a large percentage of account compromises.
This move to phishing-resistant posture reflects where the broader industry is heading. This is consistent with CISA guidance, the NIST 800-63 update cycle and the increased regulatory focus on phishing-resistant authentication across frameworks like FedRAMP and CMMC.
Like any major platform change, this announcement creates a natural inflection point. The organizations that handle this transition smoothly will be the ones that start early. This window between now and February is crucial for assessment. Organizations should consider which identities require the highest level of protection. Privileged administrators, service owners and high-risk users should be prioritized during planning because authentication weaknesses in these accounts can have a disproportionate impact. However, every identity that uses SMS or voice MFA will have to migrate by the cutoff date.
You can start by asking and answering these four questions:
Microsoft is offering organizations two routes through this transition:
For most organizations, migrating to passkeys will be the right path forward. There are no additional costs to migrate SMS and voice users to passkeys. Microsoft Authenticator, Windows Hello for Business and FIDO2 security keys all support passkey-based sign-in within Entra ID. Microsoft provides a deployment guide and Registration Campaign tooling to help drive adoption at scale.
For organizations with a legitimate regulatory or operational requirement for SMS or voice Microsoft will enable a third-party telecom provider option through the Microsoft Security Store. Eligible use cases include organizations falling under certain compliance requirements, organizations using out-of-band authentication workflows and scenarios where passkey-eligible devices are not available. Details on available telecom providers, pricing and configuration will be published starting September 18, 2026, with customer selection available from October 30, 2026. This path introduces per-message costs and additional setup overhead. It is intended for specific use cases and should not be considered as a general-use alternative to passkeys.
The organizations best positioned to navigate this change are those with a clear picture of their current posture and a structured plan for modernization. Successful migration requires more than enabling a new authentication method, it requires identity configurations, access policies, privileged accounts, user readiness and operational impacts. .
GuidePoint Security works with organizations at every stage of this kind of transition:
The February 1, 2027 deadline is real and it is non-negotiable for nearly all Microsoft Entra ID users. Organizations that start their evaluation now have time to assess their user population, stage their rollout and avoid the help desk spike that comes with a last-minute scramble. Organizations that wait may find themselves managing a blocking sign-in prompt for a significant portion of their workforce.
If your organization needs help assessing its identity posture, planning a passkey transition or strengthening Microsoft Entra ID security controls, GuidePoint Security can help you move from assessment to action.