System-preferred authentication prompts users to sign in by using the most secure method they registered. It's an important security enhancement for users who authenticate by using less secure methods like passwords or SMS.
> [!NOTE]
> Microsoft managed behavior affects both first-factor and multifactor authentication and is being gradually deployed to tenants through July 2026. If your tenant or users aren't experiencing system-preferred authentication as the first factor when the **State** is **Microsoft managed**, the rollout isn't deployed yet for your tenant.
For example, if a user registered both a password and a passkey, system-preferred authentication prompts the user to sign in with the passkey instead of the password. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
System-preferred authentication is a Microsoft managed setting, which is a [three-state policy](#authentication-method-feature-configuration-properties) (enabled, disabled, or Microsoft managed). If you don't want to enable system-preferred authentication, change the state from **Microsoft managed** to **Disabled**, or exclude users and groups from the policy.
After system-preferred authentication is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered.
## How system-preferred authentication applies to sign-in
System-preferred authentication prompts users to sign in by using the most secure method they registered. It's an important security enhancement for users who authenticate by using less secure methods like passwords or SMS.
For example, if a user registered both a password and a passkey, system-preferred authentication prompts the user to sign in with the passkey instead of the password. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
System-preferred authentication is a Microsoft managed setting, which is a [three-state policy](#authentication-method-feature-configuration-properties) (enabled, disabled, or Microsoft managed). If you don't want to enable system-preferred authentication, change the state from **Microsoft managed** to **Disabled**, or exclude users and groups from the policy.
> [!NOTE]
> Microsoft managed behavior affects both first-factor and multifactor authentication and is being gradually deployed to tenants through July 2026. If your tenant or users aren't experiencing system-preferred authentication as the first factor when the **State** is **Microsoft managed**, the rollout isn't deployed yet for your tenant.
After system-preferred authentication is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered.
## How system-preferred authentication applies to sign-in