Microsoft is killing SMS logins for business accounts. Passkeys take over in September 2026.

Entra ID, the sign-in system used by millions of companies, will switch to passkeys by default. Text-message codes get shut off in February 2027.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial shot of a modern laptop on a clean office desk, its screen showing a soft blurred login prompt with a fingerprint-style glyph glowing in blu
Share

Key points

  • Microsoft will make passkeys the default sign-in method for Entra ID, its enterprise login service, starting September 2026.
  • Microsoft will fully retire SMS and voice-call authentication across all business tenants on February 1, 2027.
  • Anyone currently using SMS or voice codes will be prompted to register a passkey the next time they log in.
  • Microsoft Threat Intelligence says AI-generated phishing emails now trick 54% of recipients into clicking, versus 12% for older campaigns.
  • Companies that still need phone-based codes after the deadline must bring their own telecom provider through the Microsoft Security Store.

Microsoft is finally pulling the plug on text-message logins for its business customers.

The company said this week that passkeys, a newer login method that uses your phone or laptop's built-in security chip instead of a password, will become the default way to sign into Entra ID from September 2026. Entra ID is the system most large employers use to control who gets into their email, files and internal apps. If you have ever logged into a work account with a Microsoft prompt, you have used it.

Anyone still receiving one-time codes by text message or automated phone call will be nudged onto passkeys automatically. The next time they do their usual multi-factor check, meaning the second step after typing a password, they will be asked to set one up.

Then, on February 1, 2027, Microsoft turns the old system off for good.

After that date, Microsoft will no longer send SMS or voice codes on behalf of its business customers. Companies that genuinely still need phone-based codes, some regulated industries do, will have to hire a third-party telecom company through the Microsoft Security Store and wire it in themselves.

People who already use passkeys, Windows Hello for Business, physical FIDO2 security keys (a USB stick you tap to log in), or smart cards will not see any change. Those methods already resist phishing, where criminals send fake login pages to steal your credentials, so Microsoft is leaving them alone.

Why is Microsoft doing this now?

Because text-message codes have become one of the easiest things for criminals to steal. Microsoft's own threat researchers say phishing emails written with the help of AI are now getting a 54% click-through rate, compared with about 12% for the clunkier old-school versions. Once a victim clicks, a fake login page can grab both the password and the six-digit text-message code in real time and pass them to the attacker.

Passkeys sidestep that trick. There is no code to type in and forward to a criminal. The login is bound to the specific website and the specific device, so a fake page simply cannot complete the handshake.

As BleepingComputer noted in its coverage, this shift lands during a rough patch for Microsoft's business logins. The extortion crew known as ShinyHunters has spent much of the past year hoovering up Entra single sign-on credentials and using them to raid the software-as-a-service apps sitting behind them. Stolen passwords plus a phishable text code is exactly the combination they thrive on.

What should IT teams do before the deadline?

Find out who is still on SMS or voice, and move them.

Microsoft has published a PowerShell script, the Entra SMS/Voice Policy Scanner, that admins with the right read-only roles can run to list affected users. From there, the recommended path is to roll out passkeys, Windows Hello for Business or physical security keys well before the February 2027 cutoff. Leave it late and staff will find themselves locked out of their own accounts on a Monday morning.

For ordinary workers, the change should be mostly invisible. Expect a prompt from your IT department some time in 2026 asking you to register your face, fingerprint or a small USB key as your new sign-in. It is a one-time bit of setup, and it means one less password to forget.

© 2026 Threat Vectr