The dates Microsoft has already fixed
Microsoft published the change on 13 July in a security-blog post that reads like a routine identity upgrade, and it carries four dates. From 1 September 2026, every Entra ID user currently enabled for SMS or voice authentication is automatically enabled for passkeys and prompted to register one at their next multifactor prompt. On 18 September, Microsoft says it will name the supported telecom providers, their pricing and their commercial terms in the Microsoft Security Store. From 30 October, administrators can select and configure one of those providers.
The date that ends the argument is 1 February 2027. On that day Microsoft discontinues SMS and voice delivery as a native capability of Entra ID. Tenants that have not contracted a customer-managed telecom provider by then cannot use a texted or spoken code as a second factor at all, and users who depended on one must register a passkey before they can sign in. Microsoft states plainly that after that date there is no opt-out.
A deadline arrives before a price
Read those dates in order and the sequencing is the story. The retirement is fixed for 1 February 2027. The price of the only supported way to keep SMS and voice is not published until 18 September 2026, and cannot be configured until 30 October. An organisation therefore has to decide how it will move tens of thousands of authentication events before it can put a number on the alternative to moving them.
This is not a security decision dressed up as a billing one. It is both at once. A capability that shipped inside the Entra licence becomes, for anyone who still needs it, a contracted purchase from a third-party carrier through Microsoft's marketplace. The phishable method is being removed, which is defensible, and the supported way to keep it becomes a procurement exercise with a supplier, a contract and a cost that nobody outside Microsoft can quote yet.
The accounts that break have no phone
Passkeys assume a person has a device they control and can authenticate on with a biometric or a PIN. Most desk-based staff do. The accounts that leaned on a texted code are frequently the ones that do not: warehouse and shop-floor workers on shared terminals, shift staff with no company handset, seasonal and contract workers, and field engineers whose personal phone was never enrolled in anything. SMS was the lowest-common-denominator second factor precisely because it required no enrolment and no managed device.
Replacing it for those users means issuing something, either a managed phone or a FIDO2 hardware key per head, and that is a capital line and a logistics job rather than a settings change. In the UK the NCSC has spent years urging organisations off SMS codes towards phishing-resistant methods, so the direction is not a surprise. The bill for the last mile of users is. That decision is not one an identity administrator can take alone in the final week of January 2027.
What to settle before 1 August
The useful deadline is not February. Microsoft's own guidance puts the temporary opt-out for the September-to-February window, and the API needed to apply it, at 1 August 2026. That is roughly two weeks away, and it is the moment an organisation needs an answer to one question: do we let the passkey rollout begin on 1 September, or do we hold it while we work out who cannot be enrolled?
Answering that needs a count, not an opinion. Pull the list of accounts whose only registered method is SMS or voice, split it into people who own an enrollable device and people who do not, then price the second group. If the number is small, take the rollout and finish early. If it is not, take the opt-out in August, use the autumn to buy keys or handsets, and treat 18 September as the day you learn what the fallback would have cost instead.
Read next: Rotate Every Secret Grok Build Ever Saw | Opening One Email Can Hand Over Your Zimbra Mailbox



