Microsoft 365 Message Center item MC1411574
MC1411574 - Microsoft Entra: System-preferred authentication now applies to first-factor authentication
Microsoft Entra now applies system-preferred authentication to first-factor sign-in for tenants in the Microsoft managed state, selecting the most secure registered method. Rollout starts late June 2026. Tenants can keep or change this setting and should update user guidance accordingly.
- Message Center ID
- MC1411574
- Category
- stay Informed
- Severity
- normal
- Services
- Microsoft Entra
- Tags
- Feature update, User impact, Admin impact
- Published
- 2026-07-01
- Last updated
- 2026-07-01
- Expires
- 2026-08-31
[What and Why]As announced in the What's New (June Edition), we have been rolling out first-factor system-preferred authentication in the Microsoft-managed state.System-preferred authentication in Microsoft Entra ID now applies to both first-factor and second-factor authentication when the setting is in the Microsoft managed state.The system evaluates which credentials are registered for the user and selects the highest-ranked method for each authentication step, prompting the user to sign in with the most secure available method.[Rollout schedule]General Availability (Worldwide): Beginning late June 2026 and expected to complete by late July 2026[Impact on your organization]Who is affectedOrganizations whose system-preferred authentication setting is in the Microsoft managed state.If your setting is in the Enabled or Disabled state, first-factor sign-in behavior remains unchanged and there is no impact from this update.Platforms and servicesMicrosoft Entra IDSystem-preferred authenticationUser sign-in experiencesWhat will happenFor tenants in the Microsoft managed state, the system applies credential ranking to both first-factor and second-factor authentication.When a user signs in, the authentication process checks which authentication methods are registered and prompts the user with the most secure method according to the system-defined order.The method order is dynamic and can update when users register more secure authentication methods, such as a passkey, or as Microsoft updates credential rankings based on evolving security guidance. For example, if a user has both a password and a passkey registered, Microsoft Entra may prompt the user to use the passkey at their next first-factor sign-in instead of the password.To sign in using a different option, users can always cancel and choose another available sign-in method.Behavior by setting state:Microsoft managed: The system applies credential ranking to both first-factor and second-factor authentication.Enabled: Credential ranking applies only to second-factor authentication. First-factor sign-in behavior remains unchanged.Disabled: System-preferred authentication is not applied.Note: This prompt does not mean the user is being asked to complete multifactor authentication (MFA) when MFA is not required. With this update, Microsoft Entra can prompt users to use their most secure available credential at first-factor sign-in instead of defaulting to a password. Some methods, such as passkeys, certificate-based authentication, or Microsoft Authenticator, can satisfy first-factor sign-in requirements and may also satisfy MFA requirements when MFA is required. The goal is to use the strongest available credential consistently, not to add an extra MFA prompt.[What you need to do to prepare:] Review whether you want system-preferred authentication to apply to first-factor authentication in your tenant: If you want the credential ranking applied to both first-factor and second-factor authentication, leave the setting in the Microsoft managed state. No action is required. If you do not want system-preferred authentication to apply to first-factor authentication, change the setting from Microsoft managed to Enabled. The Enabled state applies system-preferred logic only to second-factor authentication and leaves first-factor sign-in behavior unchanged.Consider notifying users that they may be prompted with a different, more secure sign-in method at first-factor sign-in and remind them that they can always cancel and choose another available sign-in method.Update internal sign-in documentation and support guidance accordingly.Learn moreGeneral Availability - System-preferred authentication expanded to first-factor in Microsoft Entra ID - What's New (June 2026 Microsoft Entra Blog) | Microsoft Entra releases and announcements | Microsoft LearnSystem-preferred authentication | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn[Compliance considerations]No compliance considerations identified, review as appropriate for your organization.