HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Entra ID Entra IDPasskeysFIDO2Phishing-Resistant MFASMS DeprecationMicrosoft AuthenticatorWindows Hello for BusinessAuthentication

Passkeys Are Now the Default in Entra ID: What You Need to Do Before February 2027

IA
Imran Awan
14 July 2026

Microsoft announced on 13 July 2026 that passkeys are now the default authentication method in Entra ID. At the same time, the clock is ticking on SMS and voice call MFA — both will be fully deprecated on 1 February 2027. If your users still rely on SMS codes to sign in, they will lose access on that date.

This post walks through exactly what changed, the full timeline, and how to use PowerShell + Microsoft Graph to find every user in your tenant who is at risk right now.

⚠ Hard deadlineSMS and voice call authentication will stop working in Microsoft Entra ID on 1 February 2027. Users who have not registered a passkey, Microsoft Authenticator, or Windows Hello for Business will be unable to complete MFA.

What Microsoft changed

The July 2026 update made three significant changes:

📋 Official sourceThis post is based on Microsoft's official announcement: Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID

Full timeline

DateWhat happens
13 July 2026Passkeys set as default in Entra ID. Authenticator app passkey registration GA.
Now → Jan 2027Your migration window. Identify at-risk users, run registration campaigns, update Conditional Access.
1 February 2027SMS and voice call MFA permanently disabled in all Entra ID tenants. No exceptions.

Which auth methods are phishing-resistant?

Not all MFA is equal. Microsoft's deprecation only affects SMS and voice. The following methods will continue to work and are considered phishing-resistant:

MethodPhishing-ResistantWorks after 1 Feb 2027
FIDO2 / Passkey (hardware or Authenticator app)✅ Yes✅ Yes
Windows Hello for Business✅ Yes✅ Yes
Microsoft Authenticator (push / number match)⚠ Partial✅ Yes
TOTP / software OATH token❌ No✅ Yes
SMS / voice call❌ NoDisabled 1 Feb 2027
⚠ Note on Authenticator appMicrosoft Authenticator push notifications with number matching are not fully phishing-resistant but they are not being deprecated. Users with Authenticator registered are safe after February 2027 — only SMS/voice is removed.

How to find at-risk users with PowerShell

The fastest way to understand your exposure is to query Microsoft Graph for every user's registered authentication methods. The two scripts below do this using app-only certificate authentication — no interactive sign-in required, safe to run from a scheduled task or automation pipeline.

Both scripts use Invoke-MgGraphRequest with REST calls and manual pagination. The older Get-MgUser -All pattern has a known bug with app-only cert auth that causes an AggregateException — avoid it.

✅ Read-onlyBoth scripts call Microsoft Graph with UserAuthenticationMethod.Read.All permission only. They do not modify any user, policy, or authentication method.

Script 1 — Passkey coverage report

This script checks a group (or your whole tenant) and produces a summary table showing passkey, Authenticator, and Windows Hello for Business coverage, plus a count of at-risk users.

Get-PasskeyRegistrationStatus.ps1
# Connect with app-only cert auth
$tenantId   = 'YOUR-TENANT-ID'
$clientId   = 'YOUR-APP-CLIENT-ID'
$thumbprint = 'YOUR-CERT-THUMBPRINT'
Connect-MgGraph -ClientId $clientId -TenantId $tenantId `
    -CertificateThumbprint $thumbprint -NoWelcome

# Get group members (paginated)
$groupName = 'YOUR-GROUP-NAME'
$groupSearch = Invoke-MgGraphRequest -Method GET `
    -Uri "https://graph.microsoft.com/v1.0/groups?`$filter=displayName eq '$groupName'&`$select=id,displayName"
$groupId = $groupSearch.value[0].id

$users = [System.Collections.Generic.List[PSObject]]::new()
$uri   = "https://graph.microsoft.com/v1.0/groups/$groupId/members?`$select=id,displayName,userPrincipalName,accountEnabled&`$top=999"
do {
    $page = Invoke-MgGraphRequest -Uri $uri -Method GET
    foreach ($u in $page.value) {
        if ($u.'@odata.type' -eq '#microsoft.graph.user' -and $u.accountEnabled) {
            $users.Add([PSCustomObject]$u)
        }
    }
    $uri = $page.'@odata.nextLink'
} while ($uri)

# Check each user's auth methods
foreach ($user in $users) {
    $resp  = Invoke-MgGraphRequest -Method GET `
        -Uri "https://graph.microsoft.com/v1.0/users/$($user.id)/authentication/methods"
    $types = $resp.value.'@odata.type'

    $hasFIDO2 = $types -contains '#microsoft.graph.fido2AuthenticationMethod'
    $hasAuth  = $types -contains '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
    $hasWHfB  = $types -contains '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod'
    $hasSMS   = $types -contains '#microsoft.graph.phoneAuthenticationMethod'
    $atRisk   = $hasSMS -and -not $hasFIDO2 -and -not $hasAuth -and -not $hasWHfB
    ...
}
Disconnect-MgGraph | Out-Null

Script 2 — Export at-risk users to CSV

This script finds every user who has SMS registered but no passkey, Authenticator app, or Windows Hello for Business — and exports them to a CSV file ready for your registration campaign.

Get-SMSOnlyUsers.ps1
# Same app-only cert auth connection as above
Connect-MgGraph -ClientId $clientId -TenantId $tenantId `
    -CertificateThumbprint $thumbprint -NoWelcome

# For each user, check if SMS-only (at risk)
$atRisk = $hasSMS -and -not $hasPasskey -and -not $hasAuth -and -not $hasWHfB

if ($atRisk) {
    $results.Add([PSCustomObject]@{
        DisplayName      = $user.displayName
        UPN              = $user.userPrincipalName
        HasSMS_Voice     = $hasSMS
        HasPasskey_FIDO2 = $hasPasskey
        HasAuthenticator = $hasAuth
        HasWHfB          = $hasWHfB
        RiskLevel        = 'HIGH - Will lose MFA access on 1 Feb 2027'
    })
}

# Export at-risk users to CSV
$results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
Write-Host "Exported to: $OutputPath" -ForegroundColor Yellow

How the scripts work

Both scripts follow the same three-step pattern:

  1. App-only certificate auth — connects to Microsoft Graph using Connect-MgGraph -CertificateThumbprint. No user prompt, safe for automation. Requires an Entra app registration with UserAuthenticationMethod.Read.All application permission.
  2. Paginated group/user query — uses Invoke-MgGraphRequest with @odata.nextLink pagination to handle groups of any size, not just the first 100 users.
  3. Auth method check — calls /users/{id}/authentication/methods for each user and checks the @odata.type field to identify which methods are registered.
@odata.type valueWhat it means
#microsoft.graph.fido2AuthenticationMethodPasskey / hardware security key
#microsoft.graph.microsoftAuthenticatorAuthenticationMethodAuthenticator app (push or passkey)
#microsoft.graph.windowsHelloForBusinessAuthenticationMethodWindows Hello for Business
#microsoft.graph.phoneAuthenticationMethodSMS or voice call ⚠ deprecated 1 Feb 2027
#microsoft.graph.softwareOathAuthenticationMethodTOTP / software OATH token
PowerShell scripts on GitHub
The full scripts — including app registration setup instructions, error handling, and progress indicators — are published in the Daily-Tasks repository. Download them, add your own tenant credentials, and run against a test group before going tenant-wide.
View scripts on GitHub →

Real-world test results

I ran Script 1 against a pilot group of 7 users to validate it before going tenant-wide. Here's the actual output:

PowerShell output — pilot group (7 users)
Connecting to Microsoft Graph...
Looking up group: [REDACTED-GROUP-NAME]
Found group: [REDACTED-GROUP-NAME] (ID: [REDACTED])
Fetching group members...

============================================================
  PASSKEY REGISTRATION STATUS - 14 Jul 2026
============================================================

  Total enabled users         : 7
  FIDO2 / Passkey registered  : 0
  Microsoft Authenticator     : 4
  Windows Hello for Business  : 7
  SMS / Voice registered      : 6

------------------------------------------------------------
  At-risk (SMS only, no alt)  : 0 (0%)
  Phishing-resistant coverage : 157.1%
============================================================

All users have a phishing-resistant credential. Ready for 1 Feb 2027.
📊 Reading the results

What to do next

Once you have your CSV of at-risk users, the remediation steps are:

  1. Enable passkey (FIDO2) in your Authentication Methods policy — Entra admin centre → Protection → Authentication methods → Passkey (FIDO2) → Enable for all users or a pilot group.
  2. Push Microsoft Authenticator registration via Intune — deploy a managed app config to pre-provision Authenticator on corporate iOS/Android devices. Users can then register a passkey directly inside the app.
  3. Run a registration campaign — use the CSV from Script 2 to target your at-risk population. Send them to aka.ms/mysecurityinfo to register.
  4. Update Conditional Access — create or update a CA policy requiring phishing-resistant MFA for your most sensitive workloads before the deadline.
  5. Re-run the report monthly — use Script 1 to track coverage improvement over time until you reach 100%.
✅ Useful links
Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Entra ID
How to Enable Passkeys with Microsoft Authenticator in Microsoft…
Passkeys in Microsoft Authenticator give your users phishing-resistant authentication…
Entra ID
The Primary Refresh Token (PRT): How Entra ID SSO Actually Works…
The PRT is the token that powers silent SSO across every Microsoft 365 app on your…
Entra ID
Entra Conditional Access: WHfB Enforcement Deadline July 2026
Microsoft's July 2026 deadline for phishing-resistant MFA enforcement is approaching.…