Hey everyone! I'm pretty new to Entra ID/Azure AD MFA and I'm looking for some help from this amazing community. I've been searching for an official Microsoft announcement regarding when they plan to deprecate SMS and voice call as MFA methods, but I can't seem to find any concrete information. I understand that these methods are not the most secure due to risks like SIM swapping and phishing, but my boss is still keen on using them. So, does anyone know if Microsoft has set a timeline for phasing these out, or are they just discouraged but still hanging around for the time being? Any info or useful links would be greatly appreciated! Thanks a lot!
3 Answers
From what I’ve seen, Microsoft isn’t great at giving clear timelines for items they plan to deprecate. Things can be up in the air for quite some time, and then suddenly they drop a deadline out of nowhere. As of now, I haven’t found a specific date for when SMS and voice call MFA will be deprecated, but I'm definitely keeping an eye on it since I work with Entra regularly.
There’s currently no official roadmap for requiring phishing-resistant MFA across all Entra tenants, although you can set it up in Conditional Access Policies. If you're looking to encourage your boss to consider alternatives, you might point him to CISA's documentation regarding mandatory phishing-resistant MFA. It could be a good leverage point!
Unfortunately, there’s no specific deprecation date at this moment. It seems like they acknowledge the vulnerabilities, but there’s still a lot of hesitation to drop these methods completely.
That's frustrating! I guess I just have to keep monitoring it then.