Thank you for reaching out to Microsoft Azure QnA platform.
The migration to the Authentication methods policy in Microsoft Entra ID is a process where you move your legacy policy settings that separately control multifactor authentication (MFA) and self-service password reset (SSPR) to a unified management system.
Basically, on 30 September 2025, the ability to manage authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies will be retired. Before that date, you'll need to migrate to the Authentication methods policy in Entra ID, which provides all the same capabilities, plus it enables you to:
- Centrally manage MFA, SSPR, and passwordless authentication methods.
- More granularly target authentication methods to groups of users instead of all users.
- Access more secure authentication methods that will be part of future updates of this policy.
Below are the steps you might need to take:
- Audit your existing policy settings: Document the settings for each authentication method available for your users. If you aren’t using SSPR and aren’t yet using the Authentication methods policy, you only need to get settings from the MFA policy.
- Review the legacy MFA policy: Document which methods are available in the legacy MFA policy.
- Review the legacy SSPR policy: Document the authentication methods available in the legacy SSPR policy.
- Start the migration: Log in to the Microsoft Entra admin center and select Manage migration.
If you don’t migrate, your users will not be affected immediately. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy. However, in March 2023, Microsoft announced the deprecation of managing authentication methods in the legacy MFA and SSPR policies. This means that these legacy policies will eventually be phased out, and it’s recommended to migrate to the new Authentication methods policy. If your users do not have MFA enabled, they will be prompted to register the next time that MFA is required at sign-in. It’s advisable to set Microsoft Authenticator as the default MFA method for users. To avoid any disruptions in service, migrate your authentication methods from the MFA and SSPR policies to the Authentication methods policy before 30 September 2025. If you need more detailed instructions or have specific questions, I recommend checking out the official Microsoft Learn documentation. It provides a comprehensive guide on how to migrate to the Authentication methods policy. Documentation links:
- How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage
- Manage authentication methods for Microsoft Entra ID: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage
- Plan a Microsoft Entra multifactor authentication deployment: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted
Adding to the above details, you can refer to this video - https://www.youtube.com/watch?v=vzKugABBxsk (recorded by one of our Microsoft Engineer) where he explained the Authentication methods policy in detailed.
Let us know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.