![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 99%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,693 questions
This seems to be a common issue when migrating to the new Microsoft Authentication Policy. It looks like you're caught between two conflicting requirements:
- The migration requires you to disable all methods in the legacy MFAand SSPR policies.
- The system doesn't allow you to disable all auth methods to prevent potential lockouts.
Here's a step-by-step approach to resolve the issue:
- Disable Most, But Not All, Methods:
- Go to the legacy MFA and SSPR settings.
- Disable all methods except for one (e.g., leave SMS or phone call enabled). This will prevent the system from throwing the "cannot disable all auth methods" error.
- Go to the legacy MFA and SSPR settings.
- Migrate to the New Policy:
- Now, try saving the new migration state. With only one method enabled, the system should treat it as compliant with the migration requirements.
- Finalize the New Policy:
- Once migrated, adjust the settings in the new Microsoft Authentication Policy as needed. This is where you can fine-tune which methods you want to have enabled or disabled.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 57.99999999999999%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGL%3C/text%3E%3C/svg%3E)