Table of Contents
For now policy settings can be moved at your own pace but the procedure is completely reversible. While you specifically specify authentication methods for users and groups in the Authentication methods policy, you can continue to employ tenant-wide MFA and SSPR policies. When you’re ready to manage all authentication methods collectively in the Authentication methods policy, you finish the migration.
Legacy things to get rid of
See your existing MFA policies from https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx
See what policy compares to what
|Multifactor authentication policy||Authentication method policy|
|Call to phone||Voice calls|
|Text message to phone||SMS|
|Notification through mobile app||Microsoft Authenticator|
|Verification code from mobile app or hardware token||Third party software OATH tokens|
Hardware OATH tokens (not yet available)
Self-service Password reset (SSPR)
Set Authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods
And what methods are compared to what
|SSPR authentication methods||Authentication method policy|
|Mobile app notification||Microsoft Authenticator|
|Mobile app code||Microsoft Authenticator|
Software OATH tokens
|Mobile phone||Voice calls|
|Office phone||Voice calls|
|Security questions||Not yet available; copy questions for later use|
What it should look like?
Under the old SSPR policies, disable the old methods, once you have matched them to the new ones.
Set Allow usage of Microsoft Authenticator OTP to Yes if Verification code from mobile app or hardware token is enabled in the traditional MFA policy.
Note! Number matching enforcement has started in the beginning of May
The legacy rules for self-service password reset and multifactor authentication will be phased out in January 2024, and you’ll control all authentication methods here in the authentication methods policy.
Still something missing?
You will see inside the Audit logs if you are missing something.
Once you are done, you will see this under Authentication methods.
Under the old MFA policies, you will see only grayed boxes as you cannot anymore revert back to them.
And inside the logs like this.
As we discovered in this post, number matching enforcement has been started globally and how easy it’s to migrate to Authentication Methods from those legacy policies.
Be prepared for them and educate, educate, test and enable!