Authentication Policy (MFA and SSPR) - Different methods for MFA and SSPR

Roger Müller 0 Reputation points
2024-01-30T14:54:17.27+00:00

In the legacy MFA and SSPR policies we use different methods. For example: MFA we only accept secure methods like Authenticator, Fido2 etc. For SSPR we enforce two methods but also allow SMS as an option.

Now as we have to migrate to Authentication Policies how can we handle this request as I cannot distinguish between MFA and SSPR? If I enable SMS method, the method is available for MFA and SSPR which I don't want. Is there a configuration that allows this differentiation? Thanks for your answer.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,566 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 35,806 Reputation points Microsoft Employee
    2024-01-30T19:44:31.17+00:00

    @Roger Müller

    Thank you for your post!

    Unfortunately, there currently isn't a way to differentiate between MFA and SSPR policies within the new Authentication methods policy for Microsoft Entra ID.

    As mentioned in the migration documentation, you'll need to consider each method and decide whether it should be available in all situations.

    • If you want to enable a method for both MFA and SSPR, you can enable it for all users in the Authentication methods policy. - If you want to disable a method for both MFA and SSPR, you can leave it off for all users in the Authentication methods policy. - If you want to enable a method for only one policy, you will need to decide whether it should be available in all situations. Where the policies match, you can easily match your current state. Where there's a mismatch, you'll need to decide whether to enable or disable the method altogether.

    As this looks to be a current feature limitation, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments