{"id":57894,"date":"2026-07-17T12:16:21","date_gmt":"2026-07-17T02:16:21","guid":{"rendered":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/"},"modified":"2026-07-17T12:17:55","modified_gmt":"2026-07-17T02:17:55","slug":"what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027","status":"publish","type":"post","link":"https:\/\/cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/","title":{"rendered":"What to Do About SMS and Voice MFA in Microsoft Entra by 2027"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In this blog post What to Do About SMS and Voice MFA in Microsoft Entra by 2027 we will explain what is changing, why it matters, and what your business should do before Microsoft retires native SMS and voice authentication.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p class=\"wp-block-paragraph\">If your staff still receive a text message or phone call to approve Microsoft 365 sign-ins, this change affects you. It may not feel urgent today, but by February 2027, organisations that rely on SMS or voice as their only MFA method could face user lockouts, helpdesk pressure, added telecom costs, and avoidable security risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At a high level, Microsoft is moving businesses away from older phone-based multi-factor authentication and toward passkeys. A passkey is a safer way to prove someone is who they say they are, usually using a device, face scan, fingerprint, PIN, or security key instead of a code sent over the phone network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This matters because attackers have become very good at stealing passwords and tricking people into handing over one-time codes. SMS and voice MFA are still better than password-only access, but they are no longer strong enough for many modern threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is actually changing in Microsoft Entra ID<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Entra ID is the identity system behind Microsoft 365, Azure, and many business applications. In plain English, it controls who can sign in, what they can access, and what checks they must pass before they get in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft has announced two important changes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n <li><strong>From 1 September 2026<\/strong>, users who are enabled for SMS or voice MFA will start being prompted to register passkeys.<\/li>\n <li><strong>From 1 February 2027<\/strong>, Microsoft-provided SMS and voice delivery will be retired as a native Entra ID capability.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">After that point, users whose only MFA option is SMS or voice may be blocked until they register a passkey. There is no practical upside in waiting until the deadline.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If your organisation still needs SMS or voice for a specific reason, such as a user group with accessibility needs, shared frontline scenarios, or legacy operating constraints, Microsoft is moving toward customer-managed telecom providers through the Microsoft Security Store. That likely means more administration and potentially extra cost.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why SMS and voice MFA are being phased out<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">SMS MFA works by sending a one-time code to a user\u2019s phone. Voice MFA calls the user and asks them to approve or enter a code. For years, this was a sensible step up from passwords alone.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The problem is that phone numbers are not identity. They can be redirected, socially engineered, intercepted, or moved to another SIM card through SIM swapping. Attackers also use fake Microsoft login pages that ask users to enter both their password and SMS code in real time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That is why phone-based MFA is often called \u201cphishable\u201d. It relies on a human seeing a code and typing it somewhere. If the page looks convincing enough, the user may hand the code straight to an attacker.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We covered this wider issue in Why Microsoft 365 Security Is More Than Just Turning on MFA. The short version is simple: MFA is important, but the type of MFA matters.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What passkeys are in plain English<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A passkey replaces the old pattern of \u201cpassword plus code\u201d with a safer sign-in method based on cryptographic keys. That sounds technical, but the concept is straightforward.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Think of it like a lock and key pair. Microsoft keeps the lock. Your device keeps the private key. When you sign in, your device proves it has the right key without sending the key itself across the internet.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That makes passkeys much harder to phish. If a user lands on a fake login page, the passkey will not work for that fake site in the same way a typed SMS code might. The user experience is often easier too: approve with Windows Hello, a fingerprint, Face ID, Microsoft Authenticator, or a hardware security key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For business leaders, the outcome is not \u201cnew authentication technology\u201d. The outcome is fewer account takeovers, fewer password resets, less helpdesk noise, and stronger protection for Microsoft 365 data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The business risk of doing nothing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For a 50 to 500 person organisation, this is not just an IT setting. It affects payroll, finance, sales, operations, and anyone who depends on Microsoft 365 to work.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you leave the change until early 2027, you could face three avoidable problems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Staff may be interrupted at sign-in<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Users who only have SMS or voice configured may be forced to register a passkey before they can continue. That might be fine for a tech-savvy office worker on a managed laptop. It is less fine for a travelling executive, a warehouse supervisor, a contractor, or a frontline worker trying to access email before a shift.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The business cost is lost time. Even a few minutes per person becomes expensive when it happens across a whole company in the same week.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Your helpdesk will carry the pain<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Authentication changes always generate questions. \u201cWhy am I being asked for this?\u201d \u201cIs this a scam?\u201d \u201cWhat if I changed phones?\u201d \u201cCan I still use my old number?\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If the rollout is planned, those questions are manageable. If it happens by surprise, your internal IT team or external provider becomes reactive, and reactive work is nearly always more expensive.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Your security baseline may fall behind<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Many Australian organisations are already working toward the Essential 8, the Australian Government\u2019s cybersecurity framework that helps reduce common cyber risks. Stronger MFA supports that direction, especially when combined with conditional access, device management, patching, and monitoring.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Moving from SMS to passkeys is not just about Microsoft\u2019s deadline. It is about proving that your organisation is taking identity security seriously.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A real-world scenario<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Consider a 180-person professional services firm with offices in Melbourne, Sydney, and Brisbane. Most staff use Microsoft 365 every day. MFA was enabled years ago, but the default method was SMS because it was quick and easy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On paper, the business looked protected. In reality, more than half the workforce depended on phone numbers for sign-in. Several senior staff had personal mobile numbers tied to work accounts, and contractors were still covered by old MFA settings no one had reviewed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The fix was not complicated, but it needed planning. First, the organisation identified who was still using SMS or voice. Then it piloted passkeys with the finance team and executive assistants, because those users were higher risk. After that, it moved standard office users to Microsoft Authenticator passkeys and Windows Hello for Business, while keeping a small exception group for people who genuinely needed an alternative.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result was fewer risky sign-ins, fewer password-related tickets, and a cleaner path toward Essential 8-aligned identity controls. The important point: this was done calmly over weeks, not in a panic before a deadline.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What tech leaders should do now<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You do not need to become an identity expert to manage this well. But you do need a clear plan and a provider who understands Microsoft Entra ID beyond the basics.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1. Find out who still uses SMS or voice<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Ask your IT team or provider for a report showing users enabled for SMS and voice MFA. Do not only ask who used SMS last week. Some users may be enabled for it as a fallback, which still matters.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The report should separate employees, contractors, shared accounts, administrators, and break-glass emergency accounts. Admin accounts need special attention because they can cause the most damage if compromised.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2. Choose the right replacement methods<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For most Microsoft 365 environments, the main options are passkeys, Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. Windows Hello for Business lets users sign in with a PIN, fingerprint, or face recognition on a trusted work device. FIDO2 security keys are physical keys used for strong sign-in, often suited to administrators or high-risk users.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The right answer may vary by role. Executives, finance staff, IT administrators, and users with access to sensitive client data may need stronger controls than occasional users.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3. Pilot before you roll out<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Start with a small group. Include a mix of office workers, remote staff, executives, and less technical users. Watch where people get stuck.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A good pilot gives you better instructions, fewer support calls, and more confidence before you move everyone else.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4. Update your access policies<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This is where many businesses need help. Microsoft Entra Conditional Access policies decide when extra checks are required, such as when someone signs in from a new country, unmanaged device, or risky session.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Passkeys are stronger, but they should sit inside a wider security setup. That includes Microsoft Intune, which manages and secures company devices, Microsoft Defender, which helps detect threats, and monitoring tools that show unusual account behaviour.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If phishing is already on your board or risk register, our related article How to Reduce Phishing Risk with Microsoft 365 Defender is a useful next read.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5. Communicate in plain language<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Do not send staff a technical email about \u201cauthentication method retirement\u201d. Tell them what is changing, why it is safer, what they need to do, and how to get help.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Also make it clear that not every MFA prompt is safe. Attackers still trick users into approving sign-ins or using legitimate login flows in the wrong way, as we discussed in AI-Powered Device Code Phishing Now Bypasses MFA.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Questions to ask your current IT provider<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you are not sure whether this is being handled, ask these questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n <li>How many of our users are still enabled for SMS or voice MFA?<\/li>\n <li>Which users have SMS or voice as their only registered method?<\/li>\n <li>Are administrator accounts using phishing-resistant MFA?<\/li>\n <li>Do we have a passkey rollout plan before September 2026?<\/li>\n <li>How will this affect contractors, shared devices, and frontline users?<\/li>\n <li>Are our Conditional Access policies aligned with Essential 8 expectations?<\/li>\n <li>What happens if a user loses their phone, laptop, or security key?<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If the answers are vague, that is a sign to look more closely. Identity security is now one of the most important parts of your Microsoft 365 environment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The bottom line<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">SMS and voice MFA helped many businesses improve security quickly. But the risk has changed, and Microsoft is now forcing the next step.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For Australian organisations, this is a good opportunity to tidy up identity settings, reduce phishing risk, improve user sign-in, and support Essential 8 compliance work. The key is to act before the change becomes urgent.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CloudProInc is a Melbourne-based Microsoft Partner and Wiz Security Integrator with 20+ years of enterprise IT experience across Azure, Microsoft 365, Intune, Windows 365, OpenAI, Claude, Defender, and Wiz. We help businesses across Australia and internationally make these changes without turning them into a major disruption.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you are not sure how many people in your organisation still rely on SMS or voice MFA, we are happy to take a look and give you a clear, practical view of what needs to change before 2027.<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>Microsoft is retiring native SMS and voice MFA in Entra ID. Here is what Australian businesses should check now to avoid sign-in disruption and reduce phishing risk.<\/p>\n","protected":false},"author":1,"featured_media":57896,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_opengraph-title":"SMS and Voice MFA: Prepare Before 2027","_yoast_wpseo_opengraph-description":"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.","_yoast_wpseo_twitter-title":"SMS and Voice MFA: Prepare Before 2027","_yoast_wpseo_twitter-description":"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.","_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[13,107,36,17],"tags":[],"class_list":["post-57894","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-cybersecurity","category-entra-id","category-microsoft-365-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v28.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SMS and Voice MFA: Prepare Before 2027<\/title>\n<meta name=\"description\" content=\"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SMS and Voice MFA: Prepare Before 2027\" \/>\n<meta property=\"og:description\" content=\"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/\" \/>\n<meta property=\"og:site_name\" content=\"CPI Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-17T02:16:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-17T02:17:55+00:00\" \/>\n<meta name=\"author\" content=\"CPI Staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"SMS and Voice MFA: Prepare Before 2027\" \/>\n<meta name=\"twitter:description\" content=\"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"CPI Staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/\"},\"author\":{\"name\":\"CPI Staff\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#\\\/schema\\\/person\\\/192eeeb0ce91062126ce3822ae88fe6e\"},\"headline\":\"What to Do About SMS and Voice MFA in Microsoft Entra by 2027\",\"datePublished\":\"2026-07-17T02:16:21+00:00\",\"dateModified\":\"2026-07-17T02:17:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/\"},\"wordCount\":1800,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png\",\"articleSection\":[\"Blog\",\"Cybersecurity\",\"Entra ID\",\"Microsoft 365 Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/\",\"url\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/\",\"name\":\"SMS and Voice MFA: Prepare Before 2027\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png\",\"datePublished\":\"2026-07-17T02:16:21+00:00\",\"dateModified\":\"2026-07-17T02:17:55+00:00\",\"description\":\"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#primaryimage\",\"url\":\"\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png\",\"contentUrl\":\"\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/index.php\\\/2026\\\/07\\\/17\\\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What to Do About SMS and Voice MFA in Microsoft Entra by 2027\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#website\",\"url\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/\",\"name\":\"Cloud Pro Inc - CPI Consulting Pty Ltd\",\"description\":\"Cloud, AI &amp; Cybersecurity Consulting | Melbourne\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#organization\",\"name\":\"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd\",\"url\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/favfinalfile.png\",\"contentUrl\":\"\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/favfinalfile.png\",\"width\":500,\"height\":500,\"caption\":\"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd\"},\"image\":{\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/#\\\/schema\\\/person\\\/192eeeb0ce91062126ce3822ae88fe6e\",\"name\":\"CPI Staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"caption\":\"CPI Staff\"},\"sameAs\":[\"http:\\\/\\\/www.cloudproinc.com.au\"],\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/author\\\/cpiadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SMS and Voice MFA: Prepare Before 2027","description":"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/","og_locale":"en_US","og_type":"article","og_title":"SMS and Voice MFA: Prepare Before 2027","og_description":"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.","og_url":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/","og_site_name":"CPI Consulting","article_published_time":"2026-07-17T02:16:21+00:00","article_modified_time":"2026-07-17T02:17:55+00:00","author":"CPI Staff","twitter_card":"summary_large_image","twitter_title":"SMS and Voice MFA: Prepare Before 2027","twitter_description":"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.","twitter_misc":{"Written by":"CPI Staff","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#article","isPartOf":{"@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/"},"author":{"name":"CPI Staff","@id":"https:\/\/www.cloudproinc.com.au\/#\/schema\/person\/192eeeb0ce91062126ce3822ae88fe6e"},"headline":"What to Do About SMS and Voice MFA in Microsoft Entra by 2027","datePublished":"2026-07-17T02:16:21+00:00","dateModified":"2026-07-17T02:17:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/"},"wordCount":1800,"commentCount":0,"publisher":{"@id":"https:\/\/www.cloudproinc.com.au\/#organization"},"image":{"@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#primaryimage"},"thumbnailUrl":"\/wp-content\/uploads\/2026\/07\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png","articleSection":["Blog","Cybersecurity","Entra ID","Microsoft 365 Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/","url":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/","name":"SMS and Voice MFA: Prepare Before 2027","isPartOf":{"@id":"https:\/\/www.cloudproinc.com.au\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#primaryimage"},"image":{"@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#primaryimage"},"thumbnailUrl":"\/wp-content\/uploads\/2026\/07\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png","datePublished":"2026-07-17T02:16:21+00:00","dateModified":"2026-07-17T02:17:55+00:00","description":"Learn why SMS and voice MFA are being phased out, how passkeys reduce sign-in risk, and what organisations should plan now to avoid disruption before 2027.","breadcrumb":{"@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#primaryimage","url":"\/wp-content\/uploads\/2026\/07\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png","contentUrl":"\/wp-content\/uploads\/2026\/07\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/07\/17\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cloudproinc.com.au\/"},{"@type":"ListItem","position":2,"name":"What to Do About SMS and Voice MFA in Microsoft Entra by 2027"}]},{"@type":"WebSite","@id":"https:\/\/www.cloudproinc.com.au\/#website","url":"https:\/\/www.cloudproinc.com.au\/","name":"Cloud Pro Inc - CPI Consulting Pty Ltd","description":"Cloud, AI &amp; Cybersecurity Consulting | Melbourne","publisher":{"@id":"https:\/\/www.cloudproinc.com.au\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cloudproinc.com.au\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cloudproinc.com.au\/#organization","name":"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd","url":"https:\/\/www.cloudproinc.com.au\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cloudproinc.com.au\/#\/schema\/logo\/image\/","url":"\/wp-content\/uploads\/2022\/01\/favfinalfile.png","contentUrl":"\/wp-content\/uploads\/2022\/01\/favfinalfile.png","width":500,"height":500,"caption":"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd"},"image":{"@id":"https:\/\/www.cloudproinc.com.au\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cloudproinc.com.au\/#\/schema\/person\/192eeeb0ce91062126ce3822ae88fe6e","name":"CPI Staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","caption":"CPI Staff"},"sameAs":["http:\/\/www.cloudproinc.com.au"],"url":"https:\/\/cloudproinc.com.au\/index.php\/author\/cpiadmin\/"}]}},"jetpack_featured_media_url":"\/wp-content\/uploads\/2026\/07\/what-to-do-about-sms-and-voice-mfa-in-microsoft-entra-by-2027.png","jetpack-related-posts":[{"id":57523,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/05\/01\/why-microsoft-365-security-is-more-than-just-turning-on-mfa\/","url_meta":{"origin":57894,"position":0},"title":"Why Microsoft 365 Security Is More Than Just Turning on MFA","author":"CPI Staff","date":"May 1, 2026","format":false,"excerpt":"When a business enables Multi-Factor Authentication and calls it \"done,\" they've taken one important step \u2014 but left the door wide open in a dozen other places. MFA blocks a significant portion of credential-based attacks. Microsoft's own data shows it stops over 99% of automated password-based attacks. That's meaningful. But\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/05\/why-microsoft-365-security-is-more-than-just-turning-on-mfa-cover.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/05\/why-microsoft-365-security-is-more-than-just-turning-on-mfa-cover.png 1x, \/wp-content\/uploads\/2026\/05\/why-microsoft-365-security-is-more-than-just-turning-on-mfa-cover.png 1.5x, \/wp-content\/uploads\/2026\/05\/why-microsoft-365-security-is-more-than-just-turning-on-mfa-cover.png 2x, \/wp-content\/uploads\/2026\/05\/why-microsoft-365-security-is-more-than-just-turning-on-mfa-cover.png 3x, \/wp-content\/uploads\/2026\/05\/why-microsoft-365-security-is-more-than-just-turning-on-mfa-cover.png 4x"},"classes":[]},{"id":57511,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/04\/30\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults\/","url_meta":{"origin":57894,"position":1},"title":"The Microsoft 365 Tenant Looked Fine Until We Checked the Security Defaults","author":"CPI Staff","date":"April 30, 2026","format":false,"excerpt":"Every Microsoft 365 tenant tells a story. Emails flowing, Teams meetings running, SharePoint humming along. From the outside, everything looks operational. But operational is not the same as secure \u2014 and the gap between those two things is where breaches happen. When our team conducts a Microsoft 365 security assessment,\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/04\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults-cover.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/04\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults-cover.png 1x, \/wp-content\/uploads\/2026\/04\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults-cover.png 1.5x, \/wp-content\/uploads\/2026\/04\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults-cover.png 2x, \/wp-content\/uploads\/2026\/04\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults-cover.png 3x, \/wp-content\/uploads\/2026\/04\/the-microsoft-365-tenant-looked-fine-until-we-checked-the-security-defaults-cover.png 4x"},"classes":[]},{"id":57413,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/04\/09\/ai-powered-device-code-phishing-now-bypasses-mfa-what-australian-organisations-must-do-next\/","url_meta":{"origin":57894,"position":2},"title":"AI-Powered Device Code Phishing Now Bypasses MFA \u2014 What Australian Organisations Must Do Next","author":"CPI Staff","date":"April 9, 2026","format":false,"excerpt":"Multi-factor authentication has been the security baseline for years. Most Australian organisations treat it as the final checkpoint \u2014 if MFA is in place, accounts are protected. That assumption just got a serious challenge. Microsoft Defender Security Research has exposed a widespread phishing campaign that bypasses MFA entirely. It abuses\u2026","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/ai\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/04\/ai-powered-device-code-phishing-now-bypasses-mfa-cover.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/04\/ai-powered-device-code-phishing-now-bypasses-mfa-cover.png 1x, \/wp-content\/uploads\/2026\/04\/ai-powered-device-code-phishing-now-bypasses-mfa-cover.png 1.5x, \/wp-content\/uploads\/2026\/04\/ai-powered-device-code-phishing-now-bypasses-mfa-cover.png 2x, \/wp-content\/uploads\/2026\/04\/ai-powered-device-code-phishing-now-bypasses-mfa-cover.png 3x, \/wp-content\/uploads\/2026\/04\/ai-powered-device-code-phishing-now-bypasses-mfa-cover.png 4x"},"classes":[]},{"id":56890,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/01\/23\/implement-zero-trust-with-entra-id-and-intune\/","url_meta":{"origin":57894,"position":3},"title":"Implement Zero Trust With Entra ID and Intune","author":"CPI Staff","date":"January 23, 2026","format":false,"excerpt":"Learn how to implement Zero Trust using Microsoft Entra ID and Intune with practical steps, key policies, and rollout tips. Secure access and devices without slowing users down.","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/01\/post-5.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/01\/post-5.png 1x, \/wp-content\/uploads\/2026\/01\/post-5.png 1.5x, \/wp-content\/uploads\/2026\/01\/post-5.png 2x, \/wp-content\/uploads\/2026\/01\/post-5.png 3x, \/wp-content\/uploads\/2026\/01\/post-5.png 4x"},"classes":[]},{"id":57487,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/04\/22\/microsoft-teams-helpdesk-impersonation-attacks-are-rising-heres-what-australian-it-teams-should-change-this-week\/","url_meta":{"origin":57894,"position":4},"title":"Microsoft Teams Helpdesk Impersonation Attacks Are Rising. Here&#8217;s What Australian IT Teams Should Change This Week","author":"CPI Staff","date":"April 22, 2026","format":false,"excerpt":"A new wave of social engineering attacks is targeting Australian organisations through a channel most IT teams still treat as safe: Microsoft Teams. Threat actors are impersonating internal IT helpdesk staff, reaching users via external Teams chats and federated messaging, and walking them straight into credential theft or malware deployment.\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/04\/microsoft-teams-helpdesk-impersonation-attacks-australian-it-teams-cover.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/04\/microsoft-teams-helpdesk-impersonation-attacks-australian-it-teams-cover.png 1x, \/wp-content\/uploads\/2026\/04\/microsoft-teams-helpdesk-impersonation-attacks-australian-it-teams-cover.png 1.5x, \/wp-content\/uploads\/2026\/04\/microsoft-teams-helpdesk-impersonation-attacks-australian-it-teams-cover.png 2x, \/wp-content\/uploads\/2026\/04\/microsoft-teams-helpdesk-impersonation-attacks-australian-it-teams-cover.png 3x, \/wp-content\/uploads\/2026\/04\/microsoft-teams-helpdesk-impersonation-attacks-australian-it-teams-cover.png 4x"},"classes":[]},{"id":644,"url":"https:\/\/cloudproinc.com.au\/index.php\/2024\/09\/10\/identify-azure-users-without-mfa-using-powershell\/","url_meta":{"origin":57894,"position":5},"title":"Identify Azure Users Without MFA Using PowerShell","author":"CPI Staff","date":"September 10, 2024","format":false,"excerpt":"This Microsoft Azure post will show how to Identify Azure users without MFA Using PowerShell. If you are a Microsoft Azure customer and recently logged into the Microsoft Azure portal, you have probably seen the notification that from October 15th, 2024, Azure will enforce MFA for all users. This change\u2026","rel":"","context":"In &quot;Azure&quot;","block_context":{"text":"Azure","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/microsoft-azure\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2024\/09\/Identify-Azure-Users-Without-MFA-Using-PowerShell.webp","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2024\/09\/Identify-Azure-Users-Without-MFA-Using-PowerShell.webp 1x, \/wp-content\/uploads\/2024\/09\/Identify-Azure-Users-Without-MFA-Using-PowerShell.webp 1.5x, \/wp-content\/uploads\/2024\/09\/Identify-Azure-Users-Without-MFA-Using-PowerShell.webp 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/57894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/comments?post=57894"}],"version-history":[{"count":1,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/57894\/revisions"}],"predecessor-version":[{"id":57895,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/57894\/revisions\/57895"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/media\/57896"}],"wp:attachment":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/media?parent=57894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/categories?post=57894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/tags?post=57894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}