MFA/SSPR Migration Impact and Feature Availability Ahead of September 2025 Deadline

Question

To align with Microsoft’s announced deprecation of legacy MFA and SSPR policies by September 30, 2025, we are actively moving our configurations to the new Authentication Methods policy and Conditional Access policies using Authentication Strengths.

As part of this transition, it is essential that we maintain our current 6-digit code–only MFA experience, without enabling push notifications. This requirement is critical to our operational model and user experience.

We are seeking clarification on the following points to ensure a smooth and secure migration:

Guest and External User Access Will migration to the new policies affect:

• Guest user access

One-time email codes

External user workflows

If so, what risks or limitations should we anticipate—particularly regarding fallback methods?

Security Questions for SSPR We understand that security questions are not yet supported in the new Authentication Methods policy. Could you provide:

A timeline for when this feature will be fully supported

Confirmation that it will be available before the September 2025 cutoff, allowing us to avoid reliance on legacy SSPR

Testing Observations Our internal testing shows no impact on current user experience. However, we would appreciate insight into:

Any known edge cases or scenarios where legacy behavior may differ from the new policy model

The potential impact on the user types listed above

We appreciate any guidance or timelines Microsoft can share to help us maintain continuity for both internal and external users while aligning with Microsoft’s security best practices.To align with Microsoft’s announced deprecation of legacy MFA and SSPR policies by September 30, 2025, we are actively migrating our configurations to the new Authentication Methods policy and Conditional Access policies using Authentication Strengths.

As part of this transition, it is essential that we maintain our current 6-digit code–only MFA experience, without enabling push notifications. This requirement is critical to our operational model and user experience.

We are seeking clarification on the following points to ensure a smooth and secure migration:

Guest and External User Access
Will migration to the new policies affect:

Guest user access

One-time email codes

External user workflows

If so, what risks or limitations should we anticipate—particularly regarding fallback methods?

Security Questions for SSPR
We understand that security questions are not yet supported in the new Authentication Methods policy. Could you provide:

A timeline for when this feature will be fully supported

Confirmation that it will be available before the September 2025 cutoff, allowing us to avoid reliance on legacy SSPR

Testing Observations
Our internal testing shows no impact on current user experience. However, we would appreciate insight into:

Any known edge cases or scenarios where legacy behavior may differ from the new policy model

The potential impact on the user types listed above

We appreciate any guidance or timelines Microsoft can share to help us maintain continuity for both internal and external users while aligning with Microsoft’s security best practices.

Answer 1

Hello @LeRoy, Kevin,

There are no risks and limitations if you use the same methods that are used in the legacy authentication methods policy in the new authentication methods policy.

Replicating the legacy policies with the modern authentication method policies would not have any effect on guest user access, email OTP and External user workflows.

You can definitely use the 6-digit code, but you need to make sure that the software OATH tokens method is enabled for the users in the modern authentication methods policy.

If you do not want to use Push Notifications but only like to use 6-digit code, you can do this by disabling Microsoft Authenticator in the MFA policy but enabling software OATH tokens as an authentication method. Also please make sure that you disable the registration campaign which enforces for push notifications.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

Managing Security Questions is not yet available in the modern authentication methods policy blade, but you can complete the migration and still use the Security Questions but any changes to this method must be done from the SSPR page, but you can still use them after migration.

Please make sure you enable the security questions method in the SSPR blade before migration itself, and this method stays on this page and there is no concrete information that this method would be moved to new authentication methods policy page.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage#security-questions

I understand that this is a big move to migrate from legacy to modern authentication methods policy but if you enable the same methods and replicate the legacy methods policy to modern methods policy the end users would not have any impact and will have a hassle-free experience.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".