Table of Contents
Why to?
For now policy settings can be moved at your own pace but the procedure is completely reversible. While you specifically specify authentication methods for users and groups in the Authentication methods policy, you can continue to employ tenant-wide MFA and SSPR policies. When you’re ready to manage all authentication methods collectively in the Authentication methods policy, you finish the migration.
Legacy things to get rid of
MFA
See your existing MFA policies from https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx
See what policy compares to what
| Multifactor authentication policy | Authentication method policy |
|---|---|
| Call to phone | Voice calls |
| Text message to phone | SMS |
| Notification through mobile app | Microsoft Authenticator |
| Verification code from mobile app or hardware token | Third party software OATH tokens Hardware OATH tokens (not yet available) Microsoft Authenticator |
Self-service Password reset (SSPR)
Set Authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods
And what methods are compared to what
| SSPR authentication methods | Authentication method policy |
|---|---|
| Mobile app notification | Microsoft Authenticator |
| Mobile app code | Microsoft Authenticator Software OATH tokens |
| Email OTP | |
| Mobile phone | Voice calls SMS |
| Office phone | Voice calls |
| Security questions | Not yet available; copy questions for later use |
What it should look like?
Under the old SSPR policies, disable the old methods, once you have matched them to the new ones.
Set Allow usage of Microsoft Authenticator OTP to Yes if Verification code from mobile app or hardware token is enabled in the traditional MFA policy.
Note! Number matching enforcement has started in the beginning of May
Manage migration
The legacy rules for self-service password reset and multifactor authentication will be phased out in January 2024, and you’ll control all authentication methods here in the authentication methods policy.
Still something missing?
You will see inside the Audit logs if you are missing something.
Complete migration
Once you are done, you will see this under Authentication methods.
Under the old MFA policies, you will see only grayed boxes as you cannot anymore revert back to them.
And inside the logs like this.
Closure
As we discovered in this post, number matching enforcement has been started globally and how easy it’s to migrate to Authentication Methods from those legacy policies.
Be prepared for them and educate, educate, test and enable!
RSS - Posts