Microsoft Entra ID: Passkeys Will Become the Standard Starting in September 2026
This text was generated using artificial intelligence (AI).On July 13, 2026, Microsoft announced a strategic change to its identity and access management system, Microsoft Entra ID. Starting September 1, 2026, passkeys will be phased in as the default method for multi-factor authentication (MFA). The goal of this measure is to strengthen account security through phishing-resistant login methods while phasing out vulnerable methods such as SMS and voice calls.
The transition affects all organizations using Microsoft Entra ID in the public cloud. Separate timelines will be announced for other cloud environments. The official Microsoft announcement is available in the Microsoft 365 Message Center at MC1426371 available.
Update July 14, 2026: In addition, a critical vulnerability in Microsoft Exchange Server has been disclosed (CVE-2026-55008, CVSS 9.6). The vulnerability allows remote code execution and affects multiple versions of Exchange. See below for details.
The Facts at a Glance
Passkeys as the standard: Starting September 1, 2026, users will be prompted to register passkeys; starting February 1, 2027, this will be mandatory.
SMS/Voice will be turned off: Microsoft's native services for SMS and voice sign-in will end on February 1, 2027. Third-party integration via the Microsoft Security Store will remain available.
Affected platform: Microsoft Entra ID (Public Cloud).
Critical Exchange Vulnerability: CVE-2026-55008 (CVSS 9.6) affects Exchange Server 2016 CU23, 2019 CU14/CU15, and the Subscription Edition RTM. Remote code execution is possible without authentication; user interaction is required.
The timeline for the transition
To ensure a smooth implementation, Microsoft has published a phased rollout plan. IT administrators should take note of the following dates:
Effective August 1, 2026: API support will be available to configure a temporary opt-out for the passkey rollout.
Effective September 1, 2026: When logging in via MFA, users are offered the option to register a passkey. Participation is still optional at this stage.
Effective September 18, 2026: Microsoft publishes information about supported third-party telecommunications service providers in the Microsoft Security Store.
Effective October 30, 2026: Administrators can configure third-party telecommunications services in the Microsoft Security Store for SMS and voice sign-in.
Effective February 1, 2027: Microsoft's native SMS and voice services will be discontinued. The prompt to register for a passkey will become mandatory for all affected users and can no longer be skipped.
Need for Action and Options for Administrators
Companies must adapt their authentication strategies to this new framework. The transition period, which runs through February 2027, provides time to prepare internal processes and user communications.
Organizations that continue to rely on SMS- or voice-based authentication must turn to third-party solutions that can be integrated through the Microsoft Security Store. However, Microsoft clearly recommends switching to methods that are completely resistant to phishing.
Users who already use secure methods such as Windows Hello for Business, FIDO2 Security Keys, use certificate-based authentication or smart cards, are not affected by the new registration prompt, according to Microsoft Learn.
Critical Vulnerability in Microsoft Exchange Server (CVE-2026-55008)
In conjunction with the passkey migration, a critical security vulnerability in Microsoft Exchange Server was disclosed on July 14, 2026. The vulnerability, CVE-2026-55008, received a CVSS score of 9.6 and allows remote code execution over the network.
Technical Details
The vulnerability affects the following versions of Exchange:
Microsoft Exchange Server 2016 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 14
Microsoft Exchange Server 2019 Cumulative Update 15
Microsoft Exchange Server Subscription Edition RTM
An attacker can exploit the vulnerability without prior authentication (PR:N), but user interaction is required (UI:R). The attack vector is network-based (AV:N) with low attack complexity (AC:L). If successfully exploited, high impacts on confidentiality, integrity, and availability are possible (C:H/I:H/A:H). The scope is „Changed“ (S:C), which means that the impact may extend beyond the vulnerable component.
Assessment and Recommendations for Action
As of this publication, the patch status is unknown. There is no information available regarding active exploitation or inclusion in the CISA KEV list. Organizations with Exchange servers running the affected versions should continuously monitor the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008 and prioritize the installation of available security updates.
The combination of a high CVSS score, a network-based attack vector, and the potential for remote code execution makes CVE-2026-55008 a critical threat to Exchange infrastructures. Until a patch is available, administrators should consider mitigating measures such as network segmentation, enhanced monitoring, and access restrictions on Exchange services.
Relevance for Organizations in Germany, Austria, and Switzerland
This transition is particularly relevant for companies subject to NIS 2 and KRITIS operators in Germany: The use of phishing-resistant authentication methods complies with the requirements for technical security measures under Section 30 of the BSIG. The BSI explicitly recommends FIDO2-based methods and passkeys as strong authentication methods. Organizations that use Microsoft Entra ID as their central identity service should also include the transition in their GDPR-compliant change documentation and verify whether the change to the authentication infrastructure requires internal risk assessments in accordance with ISO 27001.
The Exchange vulnerability CVE-2026-55008 underscores the urgency of a comprehensive Microsoft security management approach. Organizations with Exchange servers must include this vulnerability in their risk assessment in accordance with ISO 27001 Annex A 8.8 (Vulnerability Management) and document it.
Classification from the EASM and VRM Perspectives
A change in authentication methods at a central identity provider such as Microsoft has a direct impact on the external attack surface and supplier risk management.
External Attack Surface Management (EASM): Microsoft Entra ID is an externally accessible service whose sign-in portals are part of an organization’s digital infrastructure. An EASM platform such as LocateRisk identifies these and other exposed authentication endpoints (e.g., for VPNs or cloud services). Knowing which systems depend on Entra ID is essential for assessing the impact of this policy change on your organization’s security posture. At the same time, externally accessible Exchange servers must be identified and checked for vulnerability to CVE-2026-55008.
Vendor Risk Management (VRM): Microsoft is a critical supplier for most companies. A mandatory change to security policies is a significant event in cyber supply chain risk management. Continuous monitoring as part of VRM helps identify such changes among strategic partners and ensure an organization’s own compliance with standards such as NIS-2 or ISO 27001, which require active management of supplier risks. The Exchange vulnerability underscores the need to also monitor patch management processes for critical Microsoft products within the VRM context.
Here's How LocateRisk Can Help You
The LocateRisk platform provides you with the necessary visibility into your external attack surface and the security posture of your suppliers. Identify all external systems that rely on Microsoft Entra ID for authentication, and assess the security performance of your critical technology partners. Identify exposed Exchange servers and other Microsoft services in your infrastructure to quickly locate and prioritize vulnerabilities such as CVE-2026-55008.
Our „Made in Germany“ solution is hosted in certified German data centers—designed to meet GDPR requirements and with reduced risks associated with exposure to the U.S. Cloud Act.
All organizations and users who use Microsoft Entra ID in the public cloud. The exception is users who already use another phishing-resistant authentication method, such as Windows Hello for Business, FIDO2 security keys, or smart cards—according to Microsoft Learn, these users will not receive a new registration prompt.
Yes, the service will still be available, but no longer through Microsoft's native service. To use it, organizations must integrate a supported third-party telecommunications service provider via the Microsoft Security Store. Configuration will be possible starting October 30, 2026; Microsoft will publish information about available providers starting September 18, 2026.
Between September 1, 2026, and February 1, 2027, users can skip the prompt. After this deadline, the registration dialog will become mandatory. Affected users will then no longer be able to sign up without interacting with the prompt.
Check to see if you are running one of the affected versions: Exchange Server 2016 CU23, Exchange Server 2019 CU14 or CU15, or Exchange Server Subscription Edition RTM. Monitor the Microsoft Security Response Center for patch information and apply available updates immediately.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.