In this tutorial, we are going to migrate from the legacy MFA (multi-factor authentication) and SSPR (self-service password reset) policies in Microsoft Entra to the new Authentication methods policy setting.
By moving to the new Authentication methods policy in Microsoft Entra, you will no longer rely on having to manage your MFA and SSPR settings from multiple portals. This will allow you to create tenant-wide policies from a single pane of glass.
You will also see from the Authentication methods policy page, that on September 30th 2025, the legacy MFA and SSPR portals will be depreciated and you will be forced to manage your policies from the new portal.
Page Contents
How the migration process works
The idea behind the migration process is that you can enable your desired settings in the new Authentication methods policy portal slowly, while your users still respect the policies in the old portals. Once you are at a stage where you have your policies configured in the new portal and you have tested thoroughly, you can cut over and prevent your user’s identities from respecting the old portal settings.
That way you can complete the migration without impacting the end user, which is always the desired result.
Audit your existing MFA policies
We first need to audit our current MFA settings and document which settings are enabled for our tenant currently. There are two ways to access your existing tenant-wide MFA settings.
Method 1
- Log in to the Azure Microsoft Entra Admin Portal as a Global Administrator and select Azure Active Directory.
3. Select Security under Manage on the left-hand menu.
4. Select Multifactor authentication.
5. Select Additional cloud-based multifactor authentication settings.
Method 2
1. Login to https://admin.microsoft.com/ as a Global Administrator
2. Expand Users and select Active Users.
3. Select Multi-factor authentication from the Active user’s menu.
4. Select service settings.
Using either method will take you to the same page which will show you all of the available MFA settings currently enabled for your tenant. Be sure to document which options are currently enabled.
Audit your existing SSPR policy
We now need to audit what self-service password reset policy we have in place. You should ensure that you document:
- Which users or groups SSPR is enabled for
- The number of methods required (although this is not yet configurable in the new portal)
- The available authentication methods
- Notification settings
While not all settings are available in the new Authentication methods policy portal, it is important you document everything for when additional features are added.
To access your SSPR settings:
1. Log in to the Azure Active Directory admin portal as a global administrator.
2. Select Azure Active Directory.
3. Select Password Reset from the left-hand menu.
Begin the migration to Authentication methods policy
Now you have audited your existing MFA and SSPR settings, you can begin the migration to the Authentication methods policy. It is also important you get used to the Microsoft Entra admin center, as such we will be using this portal instead of the Azure Active Directory Admin Center next.
2. From the left-hand menu, expand Protect & secure and select Authentication methods.
3. You will see the following notification which states:
“On September 30th, 2025, the legacy multifactor authentication and self-service password reset policies will be deprecated and you’ll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.”
Select Manage migration.
4. By selecting this option, we are allowing our users to respect the legacy options that we have in place from the legacy portals and the policy options we have set in the Authentication methods policy. This will allow us to perform a seamless migration.
Configure your Authentication methods policy
You should take the time now to work through the authentication methods and enable each method one by one while analysing the legacy settings you have audited.
What is important to know is that there are no longer separate settings for SSPR and MFA, any methods you enable on the above screen will apply to both SSPR and MFA.
That being said, there look to be some immediate current limitations. Not being able to apply stronger policies for SSPR seems to be the glaring issue, personally, I would want to re-enable the option for 2 authentication methods/challenges when resetting an admin password for example. If you have multiple methods configured for SSPR, then this would no longer be applicable once you migrate to the authentication methods policy.
All of the options are quite straightforward to configure. My favourite new features are number matching in the Microsoft Authenticator app and the ability to selectively choose which users certain authentication methods can be available to. See my tutorial for enabling number matching in Microsoft Authenticator.
Testing your new Authentication methods policy
Testing is most important before you complete the migration, as once you complete the migration the settings in your legacy portal are ignored.
Currently, the only way (and probably the best way) to test your settings, is to work through and disable each authentication method in your old MFA and SSPR portals. This will allow you to validate that the setting you have configured in your new policy works as expected.
Testing in this manner is the safest way to ensure you have not missed any options and are keeping your organisation secure.
Complete the migration to Authentication methods policy
When you have completed your testing, you can head back to the Manage migration page in the Microsoft Entra admin center, then select Migration Complete and click Save.
2. Expand Protect & Secure from the left-hand menu and select Authentication methods.
3. Select Manage migration.
3. Select Migration Complete and click Save.
Once you are migrated, you can always change the migration setting back to Migration In Progress. Also, if you want to retain your advanced SSPR settings then you can even keep the setting in progress until the end date of September 2025. The only option that will remain from the old portal once you complete the migration is the security questions in the SSPR portal.
Migrating with Microsoft Graph PowerShell
If you need to programmatically modify the new Authentication Policy migration settings, you can also do this using Microsoft Graph PowerShell. Follow the below steps to migration to the Authentication Methods policy using Microsoft Graph PowerShell.
Start by connecting to Microsoft Graph with the Policy.ReadWrite.AuthenticationMethod permissions.
Connect-MgGraph -Scopes Policy.ReadWrite.AuthenticationMethod
Migrating to 'Migration in progress'
Run the below command to migrate to the ‘Migration in progress’ state:
$params = @{
policyMigrationState = "migrationInProgress"
}
Update-MgPolicyAuthenticationMethodPolicy -BodyParameter $params
Migrating to 'Migration complete'
Run the below command to migrate to the ‘Migration complete’ state:
$params = @{
policyMigrationState = "MigrationComplete"
}
Update-MgPolicyAuthenticationMethodPolicy -PolicyMigrationState migrationinprogress
When trying to complete the migration steps, you may encounter the following error:
Update-MgPolicyAuthenticationMethodPolicy : Persistance of policy failed with error: Couldn’t save new migration state: you cannot move to migration complete until disabling all methods in the legacy SSPR policy.Currently enabled legacy SSPR method(s):
Ensure you have fully disabled the legacy authentication methods and they try to complete the migration again.
How would we enforce MFA on a user using Policies, the same way we could using the legacy MFA portal?
Hey! If you are looking to enforce MFA, you should either be using Conditional Access (if you have AAD premium) or security defaults.