Table of Contents
Entra Withdraws SMS One-Time Codes and Voice Calls
In what is an important and consequential notification (MC1426371) for Microsoft 365 tenants, Microsoft announced on 13 July 2026 that they are phasing out the Microsoft-provided SMS one-time codes (Figure 1) and voice call authentication services by February 1, 2027.

Microsoft wants customers to use passkeys for second-factor authentication instead and, if that’s not possible, those that must continue with SMS and voice challenge methods will have to receive those services from a telecom provider via the Microsoft Security Store (from September 18, 2026).
Removing Weak Authentication Methods
It’s long been known that phone-based authentication methods can be compromised. These methods depend on shared secrets and public telecom networks that are vulnerable to SIM-swapping (where an attacker convinces a mobile carrier to transfer a victim’s number to a SIM card under their control), message interception, number reassignment, and social-engineering attacks. Passkeys use public-key cryptography and are therefore resistant to these attack techniques.
Over the past few years, Microsoft has steadily turned up the pressure for tenants to move away from SMS and voice to embrace stronger authentication methods like the Microsoft Authenticator app and passkeys. Introducing features like allowing conditional access policies to require a particular authentication strength before accepting connections and launching registration campaigns to convince users to upgrade their multifactor authentication (MFA) configuration.
In 2024, Microsoft said that SMS and voice were used for 44% of all MFA responses and that SMS was 40% less effective at repelling compromise than the Authenticator app. The overall focus seemed like convincing users, especially administrators, to embrace MFA using any second-factor method. Making the Microsoft 365 admin interfaces require MFA was an important tactic in that respect.
Obviously, Microsoft feels that the time is now right to up the ante again by eliminating the weakest authentication methods for MFA. Perhaps they feel that passkeys have become better known and more acceptable in the wider Entra community. Certainly, passkeys received a lot of attention at the Ignite 2025 conference in November 2025 and the pace hasn’t lessened since.
Tenants In Preparation Mode from Now
In any case, tenants must now prepare for the phase out for phone-based authentication methods by February 1, 2027. Entra will automatically enable passkeys for users of SMS and voice methods in September 2026 and set the registration campaign for passkeys to “Microsoft managed” to nudge users to upgrade to passkeys in good time. Users can skip the nudge but will eventually have to create a passkey.
The campaign will continue in an effort to have as many users as possible upgrade before February 1. At that point, SMS and voice calls from Microsoft stop working and passkeys are the default authentication method. Using the Microsoft Authenticator app to respond to MFA challenges also remains an option. Those unprepared for the switchover “may experience sign-in disruptions.” In other words, they won’t be able to satisfy an MFA challenge and therefore won’t be able to connect. Cue pressure on help desks.
The passwords and authentication methods report PowerShell script can help identify users who still rely on SMS or voice authentication methods.
Microsoft says that they settled on passkeys as the “default authentication experience in Microsoft Entra to help customers securely adopt AI at scale.” Some might ask what about tenants who aren’t quite so eager to adopt AI at the scale or pace envisaged by Microsoft. Helpfully, they point out that passkeys are included in all Entra plans, so they don’t cost anything. This is unlike conditional access policies, which continue to require Entra P1 (unlike per-user MFA, which is included in Office 365 plans).
A Massive but Welcome Change
The retirement of Microsoft-provided SMS one-time codes and voice calls for authentication is arguably the most significant identity-related change Microsoft has announced since mandatory MFA for administrative accounts. Many tenants still have users who depend on telephony-based authentication. Those tenants now have less than seven months before Microsoft starts nudging those users toward passkeys and less than seven months after that before the old methods disappear.
But time and technology have moved on, and the most important thing is not to let a Microsoft 365 tenant be compromised. You cannot stop people from making mistakes, but you can make it harder for attackers to take advantage of mistakes, which is the great promise of passkeys.
unlike per-user MFA, which is included in Office 365 plans. I think it’s not.
As per ms article user mfa also requires entra id only security defaults is free.
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-licensing.
How to enforce passkeys again it requires atleast entra id p1 license
Per-user MFA is included in Office 365 E3 and E5.
Conditional access policies to enforce MFA require either Entra ID P1 or P2 (risk-based).
Security Defaults use basic multifactor authentication, not the CA policies.
One challenge will be onboarding users with no existing MFA method, since passkey registration currently requires MFA first. Hopefully Microsoft addresses this before the SMS/voice retirement deadline.
I personally think that Microsoft has set a schedule that is too aggressive because many of the implementation details are not yet fully worked out. Techniques that work splendidly inside Microsoft’s own tenant or for sophisticated large-scale enterprise deployments might not be applicable to other tenants. We shall see in time.