Microsoft will retire legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies on September 30, 2025. Organizations must switch to the unified Authentication Methods policy in Microsoft Entra ID before this date.
This guide explains how to:
- Identify legacy authentication methods.
- Migrate to the new policy.
- Verify that migration works as expected.
Understanding Legacy Authentication Methods
Legacy methods include MFA and SSPR policies managed separately in Microsoft Entra ID. These are set under:
- Per-user MFA settings
- SSPR settings in the Microsoft Entra admin center
Identifying Legacy Authentication Methods
Document these settings for reference.
Your Per-user MFA settings are found here:
- Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
- Browse to Identity > Users > All users > Per-user MFA > service settings to view the settings.
The SSPR settings can be found here:
Identity > Users > All users > Password reset > Authentication methods
Benefits of the New Authentication Methods Policy
- Central management for MFA, SSPR, and passwordless authentication.
- More control over which user groups use specific methods.
- Access to better security features through future updates.
Unified Authentication Methods are found here:
- Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
- Browse to Protection > Authentication methods >
Migration Process
You can either DIY – or let MS handle it
Microsoft offers an automated migration tool:
- In the Microsoft Entra admin center, go to Protection > Authentication Methods > Policies.
- Click Manage migration.
- The tool evaluates your current settings and recommends a new configuration.
- Review and adjust as needed.
- Confirm the configuration to complete migration.
This ensures users can still use their previous sign-in and password reset methods.
The guide will assess all your methods, so if you find anything still enabled thats deemed insecure, time to visit sign-in logs and identify usage – and plan for deprecation.
Verifying Migration Completion
- Check logs and reports in Microsoft Entra ID to confirm proper functioning.
- Use Conditional Access policies to enforce new authentication methods.
- Document changes and inform users about the updated methods.
When don it will show
Summary
Migrating to the new Authentication Methods policy ensures compatibility and security. Complete the migration before September 30, 2025, to avoid service disruptions.
