Microsoft is deprecating legacy MFA and Self-Service Password Authentication methods on September 30, 2024. While that might seem like a long way out, we all know how fast a year can go by, and depending on your situation there could be a good deal of communication and end user training you need to do before completing this migration. What’s involved?
First you need to make note of your existing settings
Under the legacy Per User MFA section in Azure AD, particularly the Methods available to users and the remember multi-factor authentication on trusted device setting.
Next, if you have Self Service Password Reset enabled for your users make note of those settings:
Then go over to the new Authentication methods under Azure Active Directory, Security, Authentication Methods. These will be the methods available to your users once the migration is complete. Before then you want to make sure that you’ve enabled any methods in this section that you want your users to continue to use. You also want to set up your conditional access policies to enable MFA for your users.
Note that security questions for Self Service Password Reset are not an available option in the new authentication methods. If you are using those you can continue to manage them in the SSPR area even after the migration is complete, until Microsoft moves that functionality to the new authentication area.
Flip to Migration in Progress
The next step is to start the migration. In this step nothing changes for your users so it’s pretty safe. You can do this by clicking the Manage Migration link at the top of the new methods section. If you haven’t done anything yet, this will be set to Pre-migration. The new authentication methods are available as well as the old legacy methods and SSPR only uses the settings in its section. You can flip this to Migration in Progress and the new methods will be available for MFA and SSPR as well as all the legacy methods.
Set up your New Methods
This step depends on your situation. If you just want to make all of the methods you have setup in the legacy policies available in the new policy than enable them and call it good. If you want to clean up methods you can do that now, but if you have MFA / SSPR implemented, and users are using methods that you are going to disable than you will need to communicate those changes.
Once you have your new methods set up the way you want them and your conditional access policy in place, you complete the migration by going back to the Legacy MFA and SSPR methods screens and deselecting all of the methods and settings there. Again, Security questions should remain enabled if you are using them and you’ll continue to manage them here for now.
Complete the Migration
Once you have your settings the way you want them flip the Migration Complete switch. Be sure to disable per user MFA for all of your users.
Migration Fails to Complete
If you run into a problem where the migration won’t move to the complete state, check your guest settings under External Identities, All Identity Providers and disable Email One Time Password for Guests. If you need this setting you can enable it under Email OTP in the new methods section, under configure.
Conclusion
The nice thing about doing this migration on your timeframe is you can flip it back to Migration in Progress and reenable your legacy methods if you run into issues. Ideally you will complete this migration yourself before Microsoft disables the other methods so that you have a little control over your fate.
For the official Microsoft documentation head here: How to migrate to the Authentication methods policy – Microsoft Entra | Microsoft Learn