![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 94%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Unified Authentication methods policy changes
The unified Authentication methods policy replaces separate, legacy MFA and SSPR tenant policies with a single place to configure which methods are allowed and how they’re used for both sign-in (MFA) and self-service password reset.
Key changes it introduces:
- A single Authentication methods policy controls methods for both MFA and SSPR instead of separate legacy MFA/SSPR policies.
- Methods can be targeted to users and groups through this unified policy.
- Once migration is set to Migration Complete, legacy MFA and SSPR method settings are ignored for authentication and SSPR, and only the Authentication methods policy is enforced.
- Security questions remain managed only in the legacy SSPR policy until a migration control is available.
How to see who is still using legacy policies
The migration state determines whether legacy policies are still in effect:
- Pre-migration: Authentication methods policy is used only for authentication; legacy MFA/SSPR policies are still respected.
- Migration in Progress: Authentication methods policy is used for authentication and SSPR; legacy MFA/SSPR policies are still respected.
- Migration Complete: Only the Authentication methods policy is used; legacy MFA/SSPR policies are ignored (except security questions in SSPR).
To understand whether legacy policies are still affecting users:
- In the Microsoft Entra admin center, go to Entra ID → Authentication methods → Policies → Manage migration and check the migration state.
- If the state is Pre-migration or Migration in Progress, legacy MFA/SSPR policies are still being applied alongside the Authentication methods policy.
- If the state is Migration Complete, users are no longer governed by legacy MFA/SSPR method settings (again, except security questions for SSPR).
The documentation does not provide a per-user report of “who is still using legacy policies”; instead, the migration state controls whether legacy policies are honored at all.
Whether MFA becomes a forced requirement
The unified Authentication methods policy itself does not automatically force MFA for users. It defines which methods are available and usable for:
- MFA sign-in
- SSPR
Whether MFA is actually required is still controlled by MFA-enforcing policies (for example, Conditional Access, per-user MFA, or other tenant policies). During and after migration:
- If MFA was required before (via existing policies), it remains required; the unified policy just centralizes which methods can be used.
- If MFA was not previously required, enabling methods in the Authentication methods policy alone does not, by itself, force MFA.
Whether users are forced to re-register MFA after migration
Migration to the Authentication methods policy does not inherently force users to re-register MFA.
From the provided content:
- The migration guide “configures the Authentication method policy based on what your organization currently has enabled in the legacy MFA and SSPR policies,” so users can continue to sign in and reset passwords using the same methods they used previously.
- After migration is complete, legacy methods are disabled/ignored, but existing registered methods that are valid under the new Authentication methods policy remain usable.
- Users are only forced to re-register MFA if an admin explicitly uses controls such as Require re-register multifactor authentication on a user, or if a method becomes non-usable (for example, due to expiration or policy changes).
So, after completing migration:
- Existing MFA registrations continue to work as long as the corresponding methods are enabled in the Authentication methods policy.
- Users are not globally forced to re-register just because the migration state is set to Migration Complete.
References:
- Manage authentication methods for Microsoft Entra ID
- How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID
- Configure Essential Eight MFA authentication methods
- Plan a Microsoft Entra multifactor authentication deployment
- I need to reset my mfa methods - Microsoft Q&A
- Global Admin Locked out - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A