Case #
Microsoft recently announced in March 2023 that they will be combining the legacy MFA and legacy SSPR policies in Azure AD into a single Azure AD authentication methods policy. More details on this announcement can be found at: https://stefanos.cloud/list-of-discontinued-services-in-microsoft-azure/.
As a result, all Azure AD administrators must ensure that by end of year 2023 their tenants migrate from Azure AD legacy MFA and SSPR policies into the new Azure AD authentication method policy. The Azure AD authentication methods policy is a combined policy for managing authentication methods for both MFA and SSPR.
This article provides guidance on how to migrate from Azure AD legacy MFA and SSPR policies.
Solution #
To carry out the migration from the separate Azure AD legacy MFA and SSPR policies into the unified (combined) Azure AD authentication methods policy, carry out the following steps.
Step 1 - Keep note of the legacy MFA authentication methods policy settings #
Login to the Azure AD portal (https://aad.portal.azure.com/) as a global admin user and navigate to Azure Active Directory > Security > Multifactor Authentication > Additional cloud-based multifactor authentication settings.
The following table lists methods available in the legacy MFA policy and corresponding methods in the Authentication method policy.
| Multifactor authentication policy | Authentication method policy |
|---|---|
| Call to phone | Voice calls |
| Text message to phone | SMS |
| Notification through mobile app | Microsoft Authenticator |
| Verification code from mobile app or hardware token | Third party software OATH tokens Hardware OATH tokens (not yet available) Microsoft Authenticator |
Step 2 - Keep note of the legacy SSPR authentication methods policy settings #
Login to the Azure AD portal (https://aad.portal.azure.com/) as a global admin user and navigate to Azure Active Directory > Password reset > Authentication methods.
Record which users are in scope for SSPR (either all users, one specific group, or no users) and the authentication methods they can use. While security questions aren't yet available to manage in the Authentication methods policy, make sure you record them for later when they are.
| SSPR authentication methods | Authentication method policy |
|---|---|
| Mobile app notification | Microsoft Authenticator |
| Mobile app code | Microsoft Authenticator Software OATH tokens |
| Email OTP | |
| Mobile phone | Voice calls SMS |
| Office phone | Voice calls |
| Security questions | Not yet available; copy questions for later use |
Step 3 - Enable the new Azure AD authentication method policy and disable the legacy MFA and SSPR policies #
On the "Authentication methods policy" page, click on "Manage migration".
Set the migration state to "Migration in progress".
Now first enable the new Azure AD authentication methods policy.
Then disable the legacy MFA and SSPR policies.
When you determine that MFA and SSPR work as expected and you no longer need the legacy MFA and SSPR policies, you can change the migration progress to "Migration Complete".
You migration is now completed.
In this mode, Azure AD only follows the Authentication methods policy. No changes can be made to the legacy policies if Migration Complete is set, except for security questions in the SSPR policy. If you need to go back to the legacy policies for some reason, you can move the migration state back to Migration in Progress at any time.
