Hello @LM-5132,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you recently migrated authentication methods from Legacy Verification Options to Modern Authentication Methods.
During the migration, when the "Manage Migration" state was set to "In Progress," all users and administrators were able to log into the admin portals without any issues. However, after you changed the migration state to "Completed," both the admin-1
account and the emergency break glass account started experiencing login issues.
Thank you for providing additional details about the verification options and Modern Authentication Method policies.
Based on the configuration settings in place at the time you completed the migration, it seems that the authentication methods were not properly migrated from Legacy to Modern, which is likely why the admin-1
and emergency break glass accounts faced these login issues. Please refer to the following document for guidance on properly migrating authentication methods from Legacy to Modern:
When transitioning to the "Completed" state, you must ensure that all legacy verification options are unchecked on the Per-User MFA Service settings page, as well as any SSPR (Self-Service Password Reset) authentication methods. After completing these steps, confirm that under Modern Authentication Methods, the Microsoft Authenticator method is enabled for all users without any exclusions. Additionally, enable any other methods your organization plans to use (such as SMS, Phone call, FIDO, or OAuth hardware token). Please refer to the screenshots below for further details.
Uncheck legacy verification options
Uncheck SSPR Authentication methods
Note: If your tenant is using security questions for SSPR authentication methods, do not uncheck that option.
Once these steps are completed, ensure that Modern Authentication Methods are enabled in your tenant. If any user is excluded here, they will not be able to use that authentication method to register or complete the 2FA.
Then, you can safely change the migration status to "Completed."
Cause of the Issue: The admin-1
and emergency break glass accounts were likely excluded from Modern Authentication Methods, which prevented them from completing the 2FA process. Once you reverted the migration state back to "In Progress," the admin-1
account was able to log in successfully.
If you'd like to discuss this configuration more in-depth, I'm happy to connect offline for a remote session to further explain the cause. You can feel free to send me an email at AzCommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Thanks,
Raja Pothuraju.