Migrate to the Authentication methods policy in Azure Active Directory by 30 September 2024

Question

Migrate to the Authentication methods policy in Azure Active Directory by 30 September 2024

Pablo Esteban Trujillo 70

On 30 September 2024, the ability to manage authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies will be retired. Before that date, you'll need to migrate to the Authentication methods policy in Azure AD, which provides all the same capabilities, plus it enables you to:

Centrally manage MFA, SSPR, and passwordless authentication methods.
More granularly target authentication methods to groups of users instead of all users.
Access more secure authentication methods that will be part of future updates of this policy.

Kaepernick, Lennart 15 Reputation points

2023-04-05T11:01:56.65+00:00

Will this migration have effects for users themselves? I am supervising several tenants for customers with up to some hundred users and want to know, what this migration will cause with their existing settings for MFA and SSPR. If it's likely that I need to get in touch with all users, it would be good to know for planning and organizing the migration. Or can this also be done without any side effects like just checking the current global settings for MFA and SSPR, then deploying them into the new Authentication policies and that's it? I would assume, that this is the case but I want to be sure before starting the migration.
Thompson, Will 5 Reputation points

2023-05-18T20:35:00.59+00:00

Any response on if this will have end user impact/interaction?
Eelco Litjens 0 Reputation points

2023-06-21T11:50:35.8666667+00:00

For some customers, we use Okta as the MFA identity handler, will this have effect on that integration? Okta acts as master and does the provisioning and syncing of create/update and deactivation of users as well as Password sync.
Bertel Andreas Harboe-Møller (00208) 0 Reputation points

2023-07-28T07:54:20.4033333+00:00
Confusing understanding about what should be disabled in the Legacy services.

MFA - I can find this service just fine and disable - so far so good. But when I disable MFA I got the warning: Disabling all authentication methods could lock out your users. Ensure that you have enough authentication methods enabled in the new authentication methods policy before saving. I do have configured the new settings - should I then take any notice?

SSPR - should I disable SSPR, the first property - none, group or all – choosing ‘none’ or will the SSPR continue with my old setup? I do know / see some of the new Authentication Policies serve the SSPR - like SMS and email OTP - usable only for Self-Service Password Recovery. But my Security questions aren't covered yet, so should I disable the SSPR for now or some of the SSPR authentication methods?

Are there any other Legacy services to be disabled?

In the Identity Protection Service there are: a) Protect - User risk policy, Sign-in risk policy and Multifactor authentication registration policy b) Report - Risky users, Risky workload identities, Risky sign-ins and Risk detections Should I change any settings for this service, and will the reports still work?
Nevan Jack 0 Reputation points

2023-08-30T21:19:17.39+00:00

Is there any confirmation that Hardware OATH Tokens are supported within the new MFA Policies? We did do the majority of the migration but still have it open until the Hardware OATH Tokens are confirmed supported.

Thank you.

2 answers

Your answer

Kaepernick, Lennart 15 Reputation points

2023-04-05T11:01:56.65+00:00

Will this migration have effects for users themselves? I am supervising several tenants for customers with up to some hundred users and want to know, what this migration will cause with their existing settings for MFA and SSPR. If it's likely that I need to get in touch with all users, it would be good to know for planning and organizing the migration. Or can this also be done without any side effects like just checking the current global settings for MFA and SSPR, then deploying them into the new Authentication policies and that's it? I would assume, that this is the case but I want to be sure before starting the migration.
Thompson, Will 5 Reputation points

2023-05-18T20:35:00.59+00:00

Any response on if this will have end user impact/interaction?
Eelco Litjens 0 Reputation points

2023-06-21T11:50:35.8666667+00:00

For some customers, we use Okta as the MFA identity handler, will this have effect on that integration? Okta acts as master and does the provisioning and syncing of create/update and deactivation of users as well as Password sync.
Bertel Andreas Harboe-Møller (00208) 0 Reputation points

2023-07-28T07:54:20.4033333+00:00

Confusing understanding about what should be disabled in the Legacy services.

MFA - I can find this service just fine and disable - so far so good. But when I disable MFA I got the warning: Disabling all authentication methods could lock out your users. Ensure that you have enough authentication methods enabled in the new authentication methods policy before saving. I do have configured the new settings - should I then take any notice?

SSPR - should I disable SSPR, the first property - none, group or all – choosing ‘none’ or will the SSPR continue with my old setup? I do know / see some of the new Authentication Policies serve the SSPR - like SMS and email OTP - usable only for Self-Service Password Recovery. But my Security questions aren't covered yet, so should I disable the SSPR for now or some of the SSPR authentication methods?

Are there any other Legacy services to be disabled?

In the Identity Protection Service there are: a) Protect - User risk policy, Sign-in risk policy and Multifactor authentication registration policy b) Report - Risky users, Risky workload identities, Risky sign-ins and Risk detections Should I change any settings for this service, and will the reports still work?
Nevan Jack 0 Reputation points

2023-08-30T21:19:17.39+00:00

Is there any confirmation that Hardware OATH Tokens are supported within the new MFA Policies? We did do the majority of the migration but still have it open until the Hardware OATH Tokens are confirmed supported.

Thank you.

Answer 1

Marilee Turscak-MSFT 37,271 Microsoft Employee Moderator

For more information, see:

How to migrate MFA and SSPR policy settings to the Authentication methods policy for Azure AD
Manage authentication methods for Azure AD

As mentioned, the unified Authentication methods policy in Azure AD consolidates multifactor authentication (MFA), SSPR, and passwordless authentication methods into one management location and allows for more granular control over authentication methods, including separate controls for each type of OATH token.

Answer 2

@Pablo Esteban Trujillo Thank you for your post!

I understand that you have a question regarding the Authentication methods policy migration within Azure AD. I'll add onto what was shared by Marilee to hopefully help point you in the right direction.

Azure Multi-Factor Authentication Server will be deprecated 30 September 2024:

Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization.

Required action:

To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service using the latest Migration Utility included in the most recent Azure MFA Server update. Learn more at Azure MFA Server Migration. 

I hope this helps!

If you have any other questions, please let us know.

Additional links:

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Sai Abhilash 20 Reputation points

2024-01-17T07:26:20.5466667+00:00

In My portal ,in the section of manage migration .i could see the deadline date in sep 30 2025 .Is deadline extended ?
Givary-MSFT 35,761 Reputation points Microsoft Employee Moderator

2024-01-22T12:12:13.96+00:00

@sai abhilash Yes, right date has been changed from 30th Sept 2024 to 30th Sept 2025.
Sai Abhilash 20 Reputation points

2024-01-22T12:29:47.36+00:00

Thank you sir for reply .

Share via

Migrate to the Authentication methods policy in Azure Active Directory by 30 September 2024

2 answers

Your answer