Microsoft Entra: Passkeys by Default & SMS/Voice Retirement — Admin Advisory

TL;DR September 1, 2026 — Passkeys become default. Users enabled for SMS/Voice are auto-enabled for passkeys and prompted to register. February 1, 2027 — Microsoft-provided SMS and Voice MFA fully retired. No opt-out. Users with no other MFA method will be blocked until they register a passkey. Action required now — Audit who in your tenant uses SMS/Voice and start migrating them to passkeys. 1. What Are Passkeys? Passkeys are phishing-resistant, passwordless credentials that replace both passwords and weak MFA methods like SMS OTP. Instead of a shared secret, they use a cryptographic key pair: ...

July 15, 2026 · 4 min · Tony Merisan

Stale Accounts and Old Passwords in Active Directory - Audit and Remediation

1. The Reality of Active Directory Every AD environment accumulates history. Migrations, acquisitions, staff turnover, legacy applications — they all leave traces. The result is almost always the same: enabled accounts that nobody remembers, service accounts with passwords set years ago, and exceptions that were “temporary” and never cleaned up. This is exactly the low-hanging fruit attackers look for first. Why spend time trying to break into a well-protected account with MFA when there is a 20-year-old enabled account sitting next to it — or a service account with a 5-year-old password and access to something critical? ...

July 15, 2026 · 3 min · Tony Merisan