How to automatically migrate to Authentication Methods policies

Earlier this year I wrote a detailed article on how to migrate from the legacy MFA and SSPR policies in Microsoft Entra to the new Authentication Methods policy experience. By doing this you no longer have to rely on managing your available authentication methods in multiple portals. Instead, you can do it from the unified Authentication Methods portal in Microsoft Entra. 

In October 2024, Microsoft made this easier for consumers, releasing a built-in migration experience directly in the Microsoft Entra portal.

Lets look at how to use that migration experience to have the portal automatically recommend which policies you need to enable based on your existing configuration. This rapidly streamlines your migration experience and removes any complexity from the process. 

Authentication Methods automated migration steps

1. Log in to the Microsoft Entra admin center.

2. Browse to Protection > Authentication methods > Policies.

3. Under the Manage migration heading, you will see an option to Begin automated guide (if you haven’t already completed the migration), select this option.

4. On the first page click Next and you will be take to the Review + migrate page.

5. Ensure you are happy with these settings then click Migrate.

It is worth noting that your existing (legacy) policies may no longer be inline with your organisations requirements. In most cases, you should take this as an opportunity to either disable any less secure authentication methods (such as Email OTP, Voice call & SMS) or at least plan to have users migrate away from them.

A quick way to identify if any users in your organisation are using legacy authentication methods is to filter the User registration details report in the Microsoft Entra admin center.

1. Browse to Protection > User registration details.

2. Filter by the Methods registered filter.

You can then target your migration efforts to the select few people that may need to migrate to a strong authentication method. In the event any people in this list have stronger methods registered, but they have not been set as default and the legacy method has not been removed, use my PowerShell examples in my article: Update Default MFA Methods with Microsoft Graph PowerShell. This will allow you to bulk update the default MFA method for your users.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply