Microsoft recently announced that the legacy policies for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) will no longer be supported after September 30, 2025. We need to migrate the legacy MFA and SSPR policies to the authentication methods in Microsoft Entra ID.
This blog post explains step by step how to migrate from legacy MFA and SSPR policies to authentication methods in Microsoft Entra ID.
Is it necessary to perform a migration in my tenant?
It can be easily checked whether a migration of the legacy MFA or legacy SSPR policies in the tenant is necessary.
Option 1
Microsoft sends all tenant administrators the request for migration via email.
Option 2
The following message appears in the Microsoft Entra admin center (https://entra.microsoft.com/) under Protection > Authentication methods > Policies:
Manage Migration (1)
Initiate migration process
The migration process starts in the Microsoft Entra admin center.
Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Authentication methods > Policies
Click on Manage Migration (1), select the option Migration in Progress (2), and confirm with Save (3).
Identify legacy policies
Before the migration process can begin, the verification options activated for legacy MFA and legacy SSPR must be identified.
Legacy MFA
The activated verification options for legacy MFA are shown under Microsoft Entra admin center (https://entra.microsoft.com/) > Identity > Users > All Users > Per-user MFA.
Click on service settings (1) and note down verification options (2).
Legacy SSPR
The activated verification options for legacy SSPR are shown under
Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Password reset > Authentication methods.
Note down authentication methods (1).
Enable authentication methods
The identified verification options for legacy policies for MFA and SSPR can now be enabled in the authentication methods. If less secure verification options have been used so far, it is recommended to no longer activate them. Less secure verification options are generally those based on telecommunication transports, such as SMS and voice.
Microsoft Entra admin center (https://entra.microsoft.com/) > Identity > Protection > Authentication methods > Policies.
Enable all necessary authentication methods (1).
By default, the selected authentication method is assigned to all users. If necessary, each authentication method can be individually assigned to previously defined security groups.
Disable legacy policies
It is recommended to disable each legacy policy individually and then check the authentication method. In this way, a working alternative authentication method is always available should the function check be unsuccessful. The procedure is described below using the example of the notification via the Microsoft Authenticator App.
Disable legacy MFA
The notification via the Microsoft Authenticator App for legacy MFA is disabled under Microsoft Entra admin center (https://entra.microsoft.com/) > Identity > Users > All users > Per-user MFA.
Click on Service setting (1), disable Notification through mobile app and save it with Save (3).
When all verification options in legacy MFA are disabled, the following message appears:
Disabling all authentication methods could lock out your users. Ensure that you have enough authentication methods enabled in the new authentication methods policy before saving.
If other authentication methods have been successfully tested beforehand, the warning can be ignored.
Disable legacy SSPR
The notification via the Microsoft Authenticator App for legacy SSPR is disabled under
Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Password reset > Authentication methods.
Disable Mobile app notification (1) and click on Save (2).
When all verification options in legacy SSPR are disabled, the following message appears:
Disabling all authentication methods could lock out your users. Ensure that you have enough authentication methods enabled in the new authentication methods policy before saving.
If other authentication methods have been successfully tested beforehand, the warning can be ignored.
Check authentication methods
It is recommended to test both user sign-in and password reset after each disabled verification option with the new authentication method for Microsoft Entra ID. If the process is successful, the steps to disable further verification options for legacy MFA and legacy SSPR can be performed following the same procedure.
Complete migration
Once all legacy policies for MFA and SSPR have been disabled, the migration can be completed.
Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Authentication methods > Policies
Click on Manage migration (1), select Migration complete (2) and save ist with Save (3).
Check successful completion of migration
Legacy MFA
After successful migration, the verification options in legacy MFA are grayed out.
Microsoft Entra admin center (https://entra.microsoft.com/) > Identity > Users > All users > Per-user MFA > Service settings
Legacy SSPR
After successful migration, the verification options in legacy SSPR are grayed out.
Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Password reset > Authentication methods
Migration status
After a while, the migration status will be shown as complete.
Troubleshooting
Security questions for SSPR
At the time of writing this blog post, security questions for Self-Service Password Reset (SSPR) are not available in the authentication methods.
Follow me on LinkedIn to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!