How to migrate from Azure AD legacy MFA and SSPR policies

Case #

Microsoft recently announced in March 2023 that they will be combining the legacy MFA and legacy SSPR policies in Azure AD into a single Azure AD authentication methods policy. More details on this announcement can be found at: https://stefanos.cloud/list-of-discontinued-services-in-microsoft-azure/.

As a result, all Azure AD administrators must ensure that by end of year 2023 their tenants migrate from Azure AD legacy MFA and SSPR policies into the new Azure AD authentication method policy. The Azure AD authentication methods policy is a combined policy for managing authentication methods for both MFA and SSPR.

This article provides guidance on how to migrate from Azure AD legacy MFA and SSPR policies.

Solution #

To carry out the migration from the separate Azure AD legacy MFA and SSPR policies into the unified (combined) Azure AD authentication methods policy, carry out the following steps.

Step 1 – Keep note of the legacy MFA authentication methods policy settings #

Login to the Azure AD portal (https://aad.portal.azure.com/) as a global admin user and navigate to Azure Active Directory > Security > Multifactor Authentication > Additional cloud-based multifactor authentication settings.

The following table lists methods available in the legacy MFA policy and corresponding methods in the Authentication method policy.

Multifactor authentication policyAuthentication method policy
Call to phoneVoice calls
Text message to phoneSMS
Notification through mobile appMicrosoft Authenticator
Verification code from mobile app or hardware tokenThird party software OATH tokens
Hardware OATH tokens (not yet available)
Microsoft Authenticator

Step 2 – Keep note of the legacy SSPR authentication methods policy settings #

Login to the Azure AD portal (https://aad.portal.azure.com/) as a global admin user and navigate to Azure Active Directory > Password reset > Authentication methods.

Record which users are in scope for SSPR (either all users, one specific group, or no users) and the authentication methods they can use. While security questions aren’t yet available to manage in the Authentication methods policy, make sure you record them for later when they are.

SSPR authentication methodsAuthentication method policy
Mobile app notificationMicrosoft Authenticator
Mobile app codeMicrosoft Authenticator
Software OATH tokens
EmailEmail OTP
Mobile phoneVoice calls
SMS
Office phoneVoice calls
Security questionsNot yet available; copy questions for later use

Step 3 – Enable the new Azure AD authentication method policy and disable the legacy MFA and SSPR policies #

On the “Authentication methods policy” page, click on “Manage migration”.

Set the migration state to “Migration in progress”.

Now first enable the new Azure AD authentication methods policy.

Then disable the legacy MFA and SSPR policies.

When you determine that MFA and SSPR work as expected and you no longer need the legacy MFA and SSPR policies, you can change the migration progress to “Migration Complete”.

You migration is now completed.

In this mode, Azure AD only follows the Authentication methods policy. No changes can be made to the legacy policies if Migration Complete is set, except for security questions in the SSPR policy. If you need to go back to the legacy policies for some reason, you can move the migration state back to Migration in Progress at any time.

Source #

https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage

Powered by BetterDocs