Authentication Method policy migration question

Question

During the new authentication method policy migration that is taking place Sept 30th 2025, consider the following:

• The tenant does not have Security Defaults enabled
• The tenant does not have a license, thus no Conditional Access policies applied
• The only thing forcing users with MFA requirement is the per-user MFA settings of "enforced"

If the above is true, after the migration is fully complete and legacy components are disabled:

Question 1: Are the per-user enforced/enabled/disabled still functional after the migration is complete?

Or in other words:

Question 2: Are all users (even those previously set to enforced status in per-user MFA) no longer being required to use MFA, and it has now become optional for all users since the enforced status is no longer honored?

Question 3: Are the users set to disabled status in per-user MFA now receiving MFA request since the disabled status is no longer honored?

NOTE: There have been some incomplete answers on this question, they do not cite Microsoft documentation. PLEASE do not use previous Q&A answers. Or if so, PLEASE link to Microsoft documentation that states the answer to this question, or please have MS support agent verify.

Thank you!

Answer 1

Hello, heres my knowledge:

Question 1: Are the per-user enforced/enabled/disabled still functional after the migration is complete?

Yes it still working fine

Question 2: Are all users (even those previously set to enforced status in per-user MFA) no longer being required to use MFA, and it has now become optional for all users since the enforced status is no longer honored?

No, they will require MFA after migration

Question 3: Are the users set to disabled status in per-user MFA now receiving MFA request since the disabled status is no longer honored?

No, disabled MFA still will not trigger MFA require for users after migration

Migration of Legacy MFA is only take place, wich methods you let users use as MFA method.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage#review-the-legacy-mfa-policy

Only red lined settings is migrated to Entra ID.

SO, basically you need replicate them here:

You have to ensure u let users use auth methods, like SMS, authenticator App or Fido key and etc.

Answer 2

Hello @John Wooldridge

After the September 30, 2025, migration to the Authentication methods policy, per-user MFA states (Disabled/Enabled/Enforced) will no longer function.**
**
Question 1: Are per-user MFA states still functional post-migration?

No. Once legacy policies are deprecated and disabled:
The Enforced state loses its ability to require MFA for users

As per the documentation confirms that legacy policy settings (including per-user MFA states) are replaced by the Authentication methods policy.
concept-authentication-methods-manage

Question 2: Are all users no longer required to use MFA?

Yes. Without Conditional Access or Security Defaults:

Users previously set to Enforced will not be prompted for MFA

The tenant’s MFA enforcement now depends entirely on the new Authentication methods policy or Conditional Access (neither of which are configured here).

Question 3: Will disabled users receive MFA requests?

No. Without any active policies requiring MFA:

Users previously set to Disabled will not be prompted for MFA

The Authentication methods policy does not auto-enable MFA unless explicitly configured, which hasn’t occurred here.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".