Migration to Converged Authentication Methods

Posted on Updated on by Christoffer Klarskov JakobsenCategories:Conditional Access, Entra ID
Christoffer Klarskov Jakobsen

Intro

This guide will assist in the proces of migrating from legacy MFA and legacy SSPR, to the new converged authentication methods. On September 30th, 2025, the legacy multifactor authentication and self-service password reset policies will be deprecated and you’ll manage all authentication methods in the authentication methods policy.

Note
After all authentication methods are fully migrated, the following elements of the legacy SSPR policy remain active:

– The Number of methods required to reset control: admins can continue to change how many authentication methods must be verified before a user can perform SSPR.

– The SSPR administrator policy: admins can continue to register and use any methods listed under the legacy SSPR administrator policy or methods they’re enabled to use in the Authentication methods policy. In the future, both of these features will be integrated with the Authentication methods policy.

SSPR on account used for configuration
Please make sure that the account you will use to migrate, is currently enabled for SSPR. If not, please enroll 3 auth methods for the user via aka.ms/mfasetup.

Verify missing migration

Go to Entra ID, then Protection and then Authentication Methods. Select manage migration to view current state
(https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/Identity )


Take note that migration has not started yet:

Now that you have stated that migration has not begun, please proceed.

Enable new policies

On the same page, please enable all relevant methods. In this example, Microsoft Authenticator, Third-party OATH Tokens (etc. OTP in RDM used by Fellowmind), Temporary Access Pass, SMS and email are enabled. If you need to include only some users, please use a group to apply these to. Remember that these both enable MFA methods and require users to configure methods for the enablement of self-service password reset.

Microsoft Authenticator policy

is configured this way:



SMS policy

is configured this way:

Temporary Access Pass policy

is configured this way(consider raising the length to 15):

Email and third-party OTP

These policies are just enabled as default for my demonstration.

SSPR Policy

Take note of the current legacy SSPR policy:
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods/fromNav/Identity 


And the Authentication Methods (as of now, this sub-policy will still be used by new converged methods, to determine methods required to qualify for SSPR).

Disable leagcy SSPR

Set the lagacy SSPR to None and save.

Legacy MFA

Open the legacy MFA portal. https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx?BrandContextID=O365 

Remove all the checkmarks and save.

Finish migration

Now that you have enabled all the new policies, disabled legacy SSPR and legacy MFA (wait 2-5 minutes), you can finish the migration on the Authentication Methods, Policies, Manage Migration page:

Set to Migration Complate and save

You have now completed migration to converged authentication methods! 🙂

Christoffer Klarskov Jakobsen

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *