As of now, Microsoft is retiring its legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies. Starting September 30, 2025, these older policies will no longer be configurable, prompting enterprises and IT admins to transition to the unified and far more flexible Authentication Methods Policy within Microsoft Entra ID.
Why migrate?
- Consolidated management: Rather than juggling separate settings for MFA and password reset, you can now handle all authentication methods in one place—streamlining administration and improving oversight.
- Enhanced flexibility: The new policy supports more modern options like Passkey (FIDO2), Temporary Access Pass, and passwordless options. Plus, admins can target methods by user groups, not just tenant-wide.
- Stronger security: Granular controls like setting location visibility for Microsoft Authenticator push notifications help prevent accidental or unauthorized approvals.
Migration Options: Automated or Manual?
Automated Migration (Quick & Painless)
Microsoft provides an automated migration wizard accessible via the Entra admin center:
- Navigate to Protection > Authentication methods.
- Click Begin automated guide, review the consolidated settings mapped from your legacy policies, optionally tweak them, then click Migrate and Complete.
- Legacy policies become grayed out and the unified policy takes charge.
Admins love this method for its accuracy, speed, and low error risk compared to manual copy‑and‑paste configuration.
Manual Migration (Hands-on Control)
Prefer a more controlled approach? Here’s a concise manual workflow:
- Audit existing MFA and SSPR settings under the legacy portals.
- Configure the new Authentication Methods policy with equivalent settings—add your existing options like SMS, Voice calls, Authenticator, OATH tokens, etc.
- Set Manage migration to Migration in Progress so both legacy and new policies are operational.
- Disable all legacy MFA and SSPR settings.
- Switch migration status to Complete—now only the unified policy is enforced.
- Test thoroughly to ensure no service issues or user lockouts.
Real-World Insights from Admins
Admin feedback echoes the smooth transition—just ensure feature parity during migration:
“No issues at all. Only better control of MFA and SSPR. Just make sure to configure the Authentication Methods section with at least the same amount of options that you currently have or more, or your users may get prompted to re‑setup MFA after you migrate.”
“I strongly suggest creating a second admin account… ensure you have alternate access in case of any unforeseen issues.”
And from Microsoft support community:
“Before you start the migration, you need to enable at least one authentication method for all the users in the new Authentication methods.”
Migration Checklist at a Glance
| Step | What to Do |
|---|---|
| 1. Audit | Capture current MFA/SSPR configurations. |
| 2. Plan | Choose between Automated or Manual migration. |
| 3. Configure | Enable desired methods (SMS, Authenticator, FIDO2, etc.) in the new policy. |
| 4. Safeguard | Ensure at least one method is enabled for all users. |
| 5. Migrate | Run wizard or follow manual process. |
| 6. Disable legacy | Remove old settings to complete migration. |
| 7. Validate | Test login flows, password resets, and user experience. |
| 8. Backup | Have a secondary admin or recovery route during the process. |
Final Thoughts
Migrating from legacy MFA and SSPR policies to the central Authentication Methods policy isn’t just a mandatory deadline—it’s an upgrade. Why wait until September 2025? Whether you’re just starting or already halfway there, now is the perfect time to transition to a stronger, smarter, and more manageable authentication framework.
