Migrate Legacy MFA and SSPR Policies to Authentication Methods

In this tutorial, we are going to migrate from the legacy MFA (multi-factor authentication) and SSPR (self-service password reset) policies in Microsoft Entra to the new Authentication methods policy setting. 

By moving to the new Authentication methods policy in Microsoft Entra, you will no longer rely on having to manage your MFA and SSPR settings from multiple portals. This will allow you to create tenant-wide policies from a single pane of glass.

You will also see from the Authentication methods policy page, that on September 30th 2025, the legacy MFA and SSPR portals will be depreciated and you will be forced to manage your policies from the new portal.

How the migration process works

The idea behind the migration process is that you can enable your desired settings in the new Authentication methods policy portal slowly, while your users still respect the policies in the old portals. Once you are at a stage where you have your policies configured in the new portal and you have tested thoroughly, you can cut over and prevent your user’s identities from respecting the old portal settings.

That way you can complete the migration without impacting the end user, which is always the desired result.

Audit your existing MFA policies

We first need to audit our current MFA settings and document which settings are enabled for our tenant currently. There are two ways to access your existing tenant-wide MFA settings. 

Method 1

  1. Log in to the Azure Microsoft Entra Admin Portal as a Global Administrator and select Azure Active Directory.
Select Azure Active Directory
Select Azure Active Directory

3. Select Security under Manage on the left-hand menu.

Select Security from the left-hand menu
Select Security from the left-hand menu

4. Select Multifactor authentication.

Select MultiFactor Authentication
Select MultiFactor Authentication

5. Select Additional cloud-based multifactor authentication settings.

Select Additional cloud-based multifactor authentication settings
Select Additional cloud-based multifactor authentication settings

Method 2

1. Login to https://admin.microsoft.com/ as a Global Administrator

2. Expand Users and select Active Users.

Select Active Users
Select Active Users

3. Select Multi-factor authentication from the Active user’s menu.

Select Authentication Methods from the users menu
Select Authentication Methods from the users menu

4. Select service settings.

Select service settings
Select service settings

Using either method will take you to the same page which will show you all of the available MFA settings currently enabled for your tenant. Be sure to document which options are currently enabled.

MFA verification options
MFA verification options

Audit your existing SSPR policy

We now need to audit what self-service password reset policy we have in place. You should ensure that you document:

  • Which users or groups SSPR is enabled for
  • The number of methods required (although this is not yet configurable in the new portal)
  • The available authentication methods
  • Notification settings

While not all settings are available in the new Authentication methods policy portal, it is important you document everything for when additional features are added.

To access your SSPR settings:

1. Log in to the Azure Active Directory admin portal as a global administrator.

2. Select Azure Active Directory.

Select Azure Active Directory
Select Azure Active Directory

3. Select Password Reset from the left-hand menu.

Select Password Reset
Select Password Reset

Begin the migration to Authentication methods policy

Now you have audited your existing MFA and SSPR settings, you can begin the migration to the Authentication methods policy. It is also important you get used to the Microsoft Entra admin center, as such we will be using this portal instead of the Azure Active Directory Admin Center next.

1. Start by logging into Microsoft Entra and a global administrator.

2. From the left-hand menu, expand Protect & secure and select Authentication methods.

Select Entra Authentication methods
Select Entra Authentication methods

3. You will see the following notification which states:

“On September 30th, 2025, the legacy multifactor authentication and self-service password reset policies will be deprecated and you’ll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.”

Select Manage migration.

Manage migration to Authentication methods
Manage migration to Authentication methods

4. By selecting this option, we are allowing our users to respect the legacy options that we have in place from the legacy portals and the policy options we have set in the Authentication methods policy. This will allow us to perform a seamless migration.

Migration in progress
Migration in progress

Configure your Authentication methods policy

You should take the time now to work through the authentication methods and enable each method one by one while analysing the legacy settings you have audited.

Enable authentication methods
Enable authentication methods

What is important to know is that there are no longer separate settings for SSPR and MFA, any methods you enable on the above screen will apply to both SSPR and MFA. 

That being said, there look to be some immediate current limitations. Not being able to apply stronger policies for SSPR seems to be the glaring issue, personally, I would want to re-enable the option for 2 authentication methods/challenges when resetting an admin password for example. If you have multiple methods configured for SSPR, then this would no longer be applicable once you migrate to the authentication methods policy.

All of the options are quite straightforward to configure. My favourite new features are number matching in the Microsoft Authenticator app and the ability to selectively choose which users certain authentication methods can be available to. See my tutorial for enabling number matching in Microsoft Authenticator

Testing your new Authentication methods policy

Testing is most important before you complete the migration, as once you complete the migration the settings in your legacy portal are ignored. 

Currently, the only way (and probably the best way) to test your settings, is to work through and disable each authentication method in your old MFA and SSPR portals. This will allow you to validate that the setting you have configured in your new policy works as expected.

Testing in this manner is the safest way to ensure you have not missed any options and are keeping your organisation secure.

Complete the migration to Authentication methods policy

When you have completed your testing, you can head back to the Manage migration page in the Microsoft Entra admin center, then select Migration Complete and click Save.

1. Log in to the Microsoft Entra admin center.

2. Expand Protect & Secure from the left-hand menu and select Authentication methods.

3. Select Manage migration.

3. Select Migration Complete and click Save.

Select Migration Complete

Once you are migrated, you can always change the migration setting back to Migration In Progress. Also, if you want to retain your advanced SSPR settings then you can even keep the setting in progress until the end date of September 2025. The only option that will remain from the old portal once you complete the migration is the security questions in the SSPR portal.

Security questions
Security questions

Migrating with Microsoft Graph PowerShell

If you need to programmatically modify the new Authentication Policy migration settings, you can also do this using Microsoft Graph PowerShell. Follow the below steps to migration to the Authentication Methods policy using Microsoft Graph PowerShell.

Start by connecting to Microsoft Graph with the Policy.ReadWrite.AuthenticationMethod permissions.

Connect-MgGraph -Scopes Policy.ReadWrite.AuthenticationMethod

Migrating to 'Migration in progress'

Run the below command to migrate to the ‘Migration in progress’ state:

$params = @{
    policyMigrationState = "migrationInProgress"
}

Update-MgPolicyAuthenticationMethodPolicy -BodyParameter $params

Migrating to 'Migration complete'

Run the below command to migrate to the ‘Migration complete’ state:

$params = @{
    policyMigrationState = "MigrationComplete"
}

Update-MgPolicyAuthenticationMethodPolicy -PolicyMigrationState migrationinprogress

When trying to complete the migration steps, you may encounter the following error:

Update-MgPolicyAuthenticationMethodPolicy : Persistance of policy failed with error: Couldn’t save new migration state: you cannot move to migration complete until disabling all methods in the legacy SSPR policy.Currently enabled legacy SSPR method(s):

Ensure you have fully disabled the legacy authentication methods and they try to complete the migration again.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Joakim

    How would we enforce MFA on a user using Policies, the same way we could using the legacy MFA portal?

    1. Daniel

      Hey! If you are looking to enforce MFA, you should either be using Conditional Access (if you have AAD premium) or security defaults.

Leave a Reply