Migrating Authentication Methods in Entra ID

Intro

In this blog post, we discuss an important change that Microsoft will implement regarding the authentication methods in Microsoft Entra ID. This change is essential for enhancing security and simplifying the management of authentication methods. It is crucial that this change is implemented before September 30, 2025, as Microsoft will otherwise enforce it automatically.

What does this change involve?

The change concerns the migration from legacy policies for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) to integrated management through the authentication methods policy. This means that all authentication methods will now be centrally managed, enabling a more unified and secure policy.

Why do we need to implement this change?

• Enhanced security: By using modern and secure authentication methods such as passwordless sign-in and Microsoft Authenticator, the organization's security posture is significantly improved.

• Simplified management: Consolidating MFA and SSPR into a single policy simplifies and streamlines the management of authentication methods.

• Future-proof: The new policy is more flexible and better prepared for future security challenges.

Steps to be taken:

Step 1: Audit current settings

Review current policy settings:

• Go to the Microsoft Entra admin center.

• Record the current settings for MFA and SSPR.

  • 

    

• Document authentication methods:

  • Create an overview of the authentication methods currently in use.

  • 

    Enable the desired authentication methods, such as:

    • Microsoft Authenticator (push notifications)

    • SMS messages

    • OATH software tokens

    • FIDO2 security keys

  • 
    

Step 2: Start the Migration

Open the authentication methods policy:

• Go to the Microsoft Entra admin center.

• Navigate to Authentication methods > Authentication methods policy.

Start the migration:

• Select Manage migration, then choose Migration in progress.

  • 

  

Step 3: Update Configuration

Configure authentication methods:

• Enable the required authentication methods, such as Microsoft Authenticator and passwordless sign-in options.

• Adjust the settings based on your current policy configuration.

Apply the policy:

• Confirm the configuration and select Migrate.

Step 4: Validation and Completion

Test the new settings:

• Ensure that MFA and SSPR are functioning as expected.

• Perform tests with different user groups.

Complete the migration:

• Remove the legacy policy configurations.

• Set the migration status to Migration complete.

  • 
  
  

Risks and User Impact

Risks:

• Possible temporary disruptions during the migration.

• Users may need to register new authentication methods.

User Impact:

• Users might be required to reauthenticate using new authentication methods.

• Clear communication with users is essential — provide guidance and support where needed.

Best Practices

• Testing Phase: Perform the migration in phases, starting with a pilot group to identify potential issues early.

• Communication: Inform users in advance about the changes to authentication methods.

• Security: Consider disabling less secure methods such as SMS and voice calls. Prioritize modern methods like Microsoft Authenticator or FIDO2 security keys.

Key Dates

• September 30, 2025: Deadline for migrating to the new Authentication Methods policy.

• Now: It's recommended to start the migration as soon as possible to allow enough time for testing and adjustments.

Conclusion

Timely execution of this migration is crucial for improving the security and management of authentication methods. By following these steps, you ensure a smooth transition to the new authentication methods policy in Microsoft Entra ID.

For more detailed guidance, refer to the official documentation on the Microsoft Learn website.