In this post I’ll show you how to migrate the legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies to the new unified Authentication Methods policy in Entra ID (formerly known as Azure Active Directory).
Deadline for migration is September 30th, 2025.
These are the key steps you need to take:
- Audit your current MFA and SSPR policies in Entra ID
- Set up the new unified authentication methods policy
- Change the migration status to Migration In Progress
- Disable current MFA and SSPR authentication methods
- Change the migration status to Migration Complete
- Test.
Let’s get started.
P.S. If you are more of a visual person than a text person, I have also recorded a video walkthrough:
Legacy MFA & SSPR to Authentication Methods Policy in Entra ID – Announcement
In September 2023, Microsoft announced:
On September 30th, 2025 we will be retiring the ability to manage authentication methods in the legacy Multifactor Authentication (MFA) and Self-Service Password Reset (SSPR) policies in Entra ID. Organizations should migrate their methods to the converged authentication methods policy where methods can be managed centrally for all authentication scenarios including passwordless, multi-factor authentication and self-service password reset.
Migration
Let’s begin.
Step 1: Audit Your Current MFA and SSPR Policies in Entra ID
The first step you need to take is to review your current MFA and SSPR policies.
You should take note or screenshot of the current set up so in case there are issues, you can quickly revert back.
Step 2: Set up the New Unified Authentication Methods Policy
You now need to set up the new policy e.i. the one you are migrating to.
Go through each method and enable the ones you want to use. Most likely that will be Microsoft Authenticator, SMS, and Third-party Software OATH tokens if you are using Google Authenticator, Authy or similar.
Step 3: Change the Migration Status to Migration in Progress
On the new policy, click Manage migration and then select Migration In Progress then click Save.
This will start using the new policy for authentication and SSPR while still respecting the legacy policies.
Step 4: Disable Current MFA & SSPR Authentication Methods
You won’t be able to complete the migration until you disable the current MFA and SSPR authentication methods.
Go to the MFA and SSPR policy pages from Step 1 and untick all enabled authentication methods then save.
Step 5: Change the Migration Status to Migration Complete
Now go back to the new authentication methods policy page from Step 3, click Manage migration then tick Migration Complete and click Save.
You should see a notification in the top right of your screen that the migration is now complete.
From now on, you will manage the MFA and SSPR authentication methods in a single policy that you just set up.
Step 6: Test
You can now test and validate the changes by going through the login flow for your Microsoft tenant.
You should see that authentication methods you set up in your new policy are honoured. If they are the same as your legacy policies then you won’t notice any difference.
The Bottom Line
This update by Microsoft consolidates authentication methods in Entra ID under one policy, streamlining the management of MFA and SSPR policies.