Thank you for your post!
Unfortunately, there currently isn't a way to differentiate between MFA and SSPR policies within the new Authentication methods policy for Microsoft Entra ID.
As mentioned in the migration documentation, you'll need to consider each method and decide whether it should be available in all situations.
- If you want to enable a method for both MFA and SSPR, you can enable it for all users in the Authentication methods policy. - If you want to disable a method for both MFA and SSPR, you can leave it off for all users in the Authentication methods policy. - If you want to enable a method for only one policy, you will need to decide whether it should be available in all situations. Where the policies match, you can easily match your current state. Where there's a mismatch, you'll need to decide whether to enable or disable the method altogether.
As this looks to be a current feature limitation, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.
Additional Links:
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.