Error when I try to migrate to new Microsoft Authentication Policy

Kate Hearne 5 Reputation points

So when I go to save the new migration state, I get an error that says disable all methods in the legacy MFA and SSPR policies, then when I disable it all I get another error that says cannot disable all auth methods in the user credential policy. Enable at least one auth method to prevent lockout.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,693 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Brian Zarb 1,575 Reputation points

    This seems to be a common issue when migrating to the new Microsoft Authentication Policy. It looks like you're caught between two conflicting requirements:

    1. The migration requires you to disable all methods in the legacy MFAand SSPR policies.
    2. The system doesn't allow you to disable all auth methods to prevent potential lockouts.

    Here's a step-by-step approach to resolve the issue:

    1. Disable Most, But Not All, Methods:
      • Go to the legacy MFA and SSPR settings.
        • Disable all methods except for one (e.g., leave SMS or phone call enabled). This will prevent the system from throwing the "cannot disable all auth methods" error.
    2. Migrate to the New Policy:
      • Now, try saving the new migration state. With only one method enabled, the system should treat it as compliant with the migration requirements.
    3. Finalize the New Policy:
      • Once migrated, adjust the settings in the new Microsoft Authentication Policy as needed. This is where you can fine-tune which methods you want to have enabled or disabled.