Understanding the changes coming to Microsoft MFA | Legacy Settings

In March 2023, Microsoft announced the deprecation of managing authentication methods in the legacy multifactor authentication and self-service password reset (SSPR) policies. Beginning September 30, 2025, authentication methods can’t be managed in these legacy MFA and SSPR policies. In this article, I will be breaking down these changes so you understand how to prepare with your customers. 

Legacy Settings

Multifactor Authentication

Per user MFA settings used to be the way we all managed the authentication methods a user could select while setting up multi-factor. (Think SMS/Phone/Authenticator/etc.)
 
Location: Entra ID Admin Center > Multifactor authentication > Getting started > Configure > Additional cloud-based multifactor authentication settings >Service Settings

Self-Service Password Reset (SSPR)

To manage authentication methods for self-service password reset (SSPR), browse to Entra ID > Password reset > Authentication methods. The Mobile phone option in this policy allows either voice calls or text message to be sent to a mobile phone. The Office phone option allows only voice calls.

New Settings

Microsoft is moving all these settings to a single, Authentication methods policy (Entra ID Admin Center> Authentication methods > Policies.) The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication. Authentication Policy Administrators can edit this policy to enable authentication methods for all users or specific groups. Up till now, Microsoft has looked at this policy FIRST to see if a user can register a certain form of MFA such as Authenticator or SMS. If not, the registration process checks the legacy MFA policy to see if they can register a method based on these selections. Finally, if the user can’t register Microsoft Authenticator based on either of those policies, the registration process checks the legacy SSPR policy. Clunky right? Well now there is one policy to rule them all.
 
Ref: Manage authentication methods – Microsoft Entra ID | Microsoft Learn

Migration Between Policies

Microsoft built in a migration tool on the Authentication methods page for you to control the deployment.

When you go through the wizard, you can make selections for which authentication methods you want to be available

FAQs

What will happen to end users if I do the migration?
In most cases, nothing. The only way this would impact end users is if they are using an existing method of MFA that you disable by moving the to the new authentication method policy. EX: A users only form of MFA is SMS and your disable that in the authentication method policy. The next time they sign in they would have to register for another method you do have enabled and scoped to them such as Authenticator. You can check a users primary method of authentication under Entra ID Admin Center>Authentication Methods>User Registration Details

Are per user MFA settings such as enabling and enforcing going away?
No. At this time, there are no changes to enforcing mfa through the per user settings (Disabled, Enabled, Enforced).

Am I still going to be able to use settings like App passwords and Trusted IPs?
Yes. These will not go away but it is recommended to move to conditional access.

What happens to security questions with SSPR?
Right now, security questions are not supported in the new authentication method policy but you will still be able to manage them in the legacy view and modify them for the time being. Microsoft cites they are working on moving those over.