Microsoft announced on 13 July 2026 that passkeys are now the default authentication method in Entra ID. At the same time, the clock is ticking on SMS and voice call MFA — both will be fully deprecated on 1 February 2027. If your users still rely on SMS codes to sign in, they will lose access on that date.
This post walks through exactly what changed, the full timeline, and how to use PowerShell + Microsoft Graph to find every user in your tenant who is at risk right now.
What Microsoft changed
The July 2026 update made three significant changes:
- Passkeys (FIDO2) are now the default — Entra ID will prefer passkey authentication over passwords + MFA for new sign-ins where the authenticator supports it.
- Microsoft Authenticator passkey registration is built in — users can register a passkey directly in the Authenticator app on iOS and Android without needing a hardware security key.
- SMS/voice deprecation is confirmed and non-reversible — there will be no extension. Tenant-level policies that currently allow SMS will stop being honoured after 1 February 2027.
Full timeline
| Date | What happens |
|---|---|
| 13 July 2026 | Passkeys set as default in Entra ID. Authenticator app passkey registration GA. |
| Now → Jan 2027 | Your migration window. Identify at-risk users, run registration campaigns, update Conditional Access. |
| 1 February 2027 | SMS and voice call MFA permanently disabled in all Entra ID tenants. No exceptions. |
Which auth methods are phishing-resistant?
Not all MFA is equal. Microsoft's deprecation only affects SMS and voice. The following methods will continue to work and are considered phishing-resistant:
| Method | Phishing-Resistant | Works after 1 Feb 2027 |
|---|---|---|
| FIDO2 / Passkey (hardware or Authenticator app) | ✅ Yes | ✅ Yes |
| Windows Hello for Business | ✅ Yes | ✅ Yes |
| Microsoft Authenticator (push / number match) | ⚠ Partial | ✅ Yes |
| TOTP / software OATH token | ❌ No | ✅ Yes |
| SMS / voice call | ❌ No | ❌ Disabled 1 Feb 2027 |
How to find at-risk users with PowerShell
The fastest way to understand your exposure is to query Microsoft Graph for every user's registered authentication methods. The two scripts below do this using app-only certificate authentication — no interactive sign-in required, safe to run from a scheduled task or automation pipeline.
Both scripts use Invoke-MgGraphRequest with REST calls and manual pagination. The older Get-MgUser -All pattern has a known bug with app-only cert auth that causes an AggregateException — avoid it.
UserAuthenticationMethod.Read.All permission only. They do not modify any user, policy, or authentication method.Script 1 — Passkey coverage report
This script checks a group (or your whole tenant) and produces a summary table showing passkey, Authenticator, and Windows Hello for Business coverage, plus a count of at-risk users.
# Connect with app-only cert auth $tenantId = 'YOUR-TENANT-ID' $clientId = 'YOUR-APP-CLIENT-ID' $thumbprint = 'YOUR-CERT-THUMBPRINT' Connect-MgGraph -ClientId $clientId -TenantId $tenantId ` -CertificateThumbprint $thumbprint -NoWelcome # Get group members (paginated) $groupName = 'YOUR-GROUP-NAME' $groupSearch = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/v1.0/groups?`$filter=displayName eq '$groupName'&`$select=id,displayName" $groupId = $groupSearch.value[0].id $users = [System.Collections.Generic.List[PSObject]]::new() $uri = "https://graph.microsoft.com/v1.0/groups/$groupId/members?`$select=id,displayName,userPrincipalName,accountEnabled&`$top=999" do { $page = Invoke-MgGraphRequest -Uri $uri -Method GET foreach ($u in $page.value) { if ($u.'@odata.type' -eq '#microsoft.graph.user' -and $u.accountEnabled) { $users.Add([PSCustomObject]$u) } } $uri = $page.'@odata.nextLink' } while ($uri) # Check each user's auth methods foreach ($user in $users) { $resp = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/v1.0/users/$($user.id)/authentication/methods" $types = $resp.value.'@odata.type' $hasFIDO2 = $types -contains '#microsoft.graph.fido2AuthenticationMethod' $hasAuth = $types -contains '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod' $hasWHfB = $types -contains '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod' $hasSMS = $types -contains '#microsoft.graph.phoneAuthenticationMethod' $atRisk = $hasSMS -and -not $hasFIDO2 -and -not $hasAuth -and -not $hasWHfB ... } Disconnect-MgGraph | Out-Null
Script 2 — Export at-risk users to CSV
This script finds every user who has SMS registered but no passkey, Authenticator app, or Windows Hello for Business — and exports them to a CSV file ready for your registration campaign.
# Same app-only cert auth connection as above Connect-MgGraph -ClientId $clientId -TenantId $tenantId ` -CertificateThumbprint $thumbprint -NoWelcome # For each user, check if SMS-only (at risk) $atRisk = $hasSMS -and -not $hasPasskey -and -not $hasAuth -and -not $hasWHfB if ($atRisk) { $results.Add([PSCustomObject]@{ DisplayName = $user.displayName UPN = $user.userPrincipalName HasSMS_Voice = $hasSMS HasPasskey_FIDO2 = $hasPasskey HasAuthenticator = $hasAuth HasWHfB = $hasWHfB RiskLevel = 'HIGH - Will lose MFA access on 1 Feb 2027' }) } # Export at-risk users to CSV $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 Write-Host "Exported to: $OutputPath" -ForegroundColor Yellow
How the scripts work
Both scripts follow the same three-step pattern:
- App-only certificate auth — connects to Microsoft Graph using
Connect-MgGraph -CertificateThumbprint. No user prompt, safe for automation. Requires an Entra app registration withUserAuthenticationMethod.Read.Allapplication permission. - Paginated group/user query — uses
Invoke-MgGraphRequestwith@odata.nextLinkpagination to handle groups of any size, not just the first 100 users. - Auth method check — calls
/users/{id}/authentication/methodsfor each user and checks the@odata.typefield to identify which methods are registered.
| @odata.type value | What it means |
|---|---|
#microsoft.graph.fido2AuthenticationMethod | Passkey / hardware security key |
#microsoft.graph.microsoftAuthenticatorAuthenticationMethod | Authenticator app (push or passkey) |
#microsoft.graph.windowsHelloForBusinessAuthenticationMethod | Windows Hello for Business |
#microsoft.graph.phoneAuthenticationMethod | SMS or voice call ⚠ deprecated 1 Feb 2027 |
#microsoft.graph.softwareOathAuthenticationMethod | TOTP / software OATH token |
Real-world test results
I ran Script 1 against a pilot group of 7 users to validate it before going tenant-wide. Here's the actual output:
Connecting to Microsoft Graph... Looking up group: [REDACTED-GROUP-NAME] Found group: [REDACTED-GROUP-NAME] (ID: [REDACTED]) Fetching group members... ============================================================ PASSKEY REGISTRATION STATUS - 14 Jul 2026 ============================================================ Total enabled users : 7 FIDO2 / Passkey registered : 0 Microsoft Authenticator : 4 Windows Hello for Business : 7 SMS / Voice registered : 6 ------------------------------------------------------------ At-risk (SMS only, no alt) : 0 (0%) Phishing-resistant coverage : 157.1% ============================================================ All users have a phishing-resistant credential. Ready for 1 Feb 2027.
- FIDO2 / Passkey: 0 — none of the 7 users have a hardware key or Authenticator passkey yet. That's expected in most tenants right now.
- Windows Hello for Business: 7 — all users have WHfB, which is phishing-resistant. This is why the at-risk count is 0.
- SMS / Voice: 6 — 6 out of 7 still have SMS registered, but since they also have WHfB, they're not at risk. SMS will just stop working for them on 1 Feb 2027 — they won't lose access.
- Coverage 157.1% — users can have multiple phishing-resistant methods, so coverage can exceed 100%.
What to do next
Once you have your CSV of at-risk users, the remediation steps are:
- Enable passkey (FIDO2) in your Authentication Methods policy — Entra admin centre → Protection → Authentication methods → Passkey (FIDO2) → Enable for all users or a pilot group.
- Push Microsoft Authenticator registration via Intune — deploy a managed app config to pre-provision Authenticator on corporate iOS/Android devices. Users can then register a passkey directly inside the app.
- Run a registration campaign — use the CSV from Script 2 to target your at-risk population. Send them to aka.ms/mysecurityinfo to register.
- Update Conditional Access — create or update a CA policy requiring phishing-resistant MFA for your most sensitive workloads before the deadline.
- Re-run the report monthly — use Script 1 to track coverage improvement over time until you reach 100%.
- aka.ms/mysecurityinfo — end-user registration portal
- Authentication methods in Entra ID — Microsoft Learn
- Enable passkey sign-in for Entra ID — Microsoft Learn