Share via

Migrate to Authentication methods: This policy did not save successfully. Unable to migrate

Ashley Saunders 20 Reputation points
2024-06-12T23:02:01.5566667+00:00

Hello

We are in the process of migrating to the new Auth methods and are unable to set any of the new methods.

We have Email OTP enabled, I do not know for how long this has been enabled.

I have removed the old methods, waited and then tried to apply the new polices to no effect.

I cannot find any detailed errors to investigate.

Manage migration is in progress state and cannot be changed up.

I've just noticed I can't update registration campaign either, same error.

I have gone through the various articles on this and not been able to find a solution.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

Answer accepted by question author

Raja Pothuraju 47,595 Reputation points Microsoft Employee Moderator
2024-06-20T06:15:45.6033333+00:00

Hello @Ashley Saunders,

Thank you for your time and patience while troubleshooting the issue over the call.

Error message: "Persistence of policy failed with error: Policy size is larger than allowed. Please change your targeting to fewer groups and try again".

Manage Migration status: Migration in Progress

Cause: This error occurs when the policy size of authentication methods exceeds 20kb, meaning it shouldn't include more than 18 groups.

Troubleshooting steps we took to address the issue:

  1. We checked modern authentication methods in your tenant to verify if any groups were added to the authentication method policies as per the above cause. However, we observed that no methods were enabled, and no groups were added to any of the policies. Please refer to the screenshot below.
  2. User's image As everything appeared correct with modern authentication methods, we then verified other settings in your tenant, such as password reset and Per-user MFA service settings, but without success.
  3. Upon examining the registration campaign settings in your tenant, we noticed that a total of 81 users were added to the excluded users and groups, causing this issue. Please refer to the reference screenshot from my test tenant for an example.

User's image

Resolution: The issue was resolved by adding all 81 users into a single group and then adding that single group to the exclusion under the registration campaign excluded users or groups. After making this change, you were able to modify the modern authentication method policy successfully without encountering any errors.

Hope this includes all the information that you were looking for.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.

Was this answer helpful?

0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 47,595 Reputation points Microsoft Employee Moderator
    2024-06-17T19:14:22.9566667+00:00

    Hello @Ashley Saunders,

    Thank you for your patience, and I apologize for any inconvenience this issue may have caused you. Moving forward, I will ensure we provide you with a timely resolution.

    Based on the recent error message you shared ("Persistence of policy failed with error: Policy size is larger than allowed. Please change your targeting to fewer groups and try again"), it appears to be a known issue. I'll guide you through resolving it.

    Cause: This error occurs when the policy size of authentication methods exceeds 20kb. We can confirm this from the logs, as you are encountering the same error indicating you've hit the policy size limit.

    As a temporary solution, I suggest consolidating the groups included in your authentication methods policies. Try reducing the number of groups or merging them into fewer groups where possible and check if you are able to change migrate state.

    I note that the one policy which is applied is set to selected groups yet no ground selected. Could this be the issue?

    No, I believe that one policy is an email OTP authentication method policy. If no group is selected in email OTP policy will not create this kind of issue. You can ignore that even if it is enabled.

    Our primary focus should be on the selected groups included in other authentication method policies. Ensure that the total number of groups across all authentication methods does not exceed 17.

    To get more clarity regarding your auth method policies, could you please provide a screenshot of your modern authentication methods policy?

    If you are still facing issues, we can connect offline to fix this issue.

    Looking forward to your response. Have a great day!

    Thanks,
    Raja Pothuraju.

    Was this answer helpful?

  2. Abiola Akinbade 30,490 Reputation points Volunteer Moderator
    2024-06-12T23:15:15.61+00:00

    Hello Ashley Saunders,

    Thanks for your question.

    I experienced something similar previously and discovered it was due to legacy SSPR.

    Please check here and confirm if it is a similar issue: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage#review-the-legacy-sspr-policy

    Regards,

    You can mark it 'Accept Answer' if this information helped.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.