Proactive migration of legacy MFA and SSPR policy settings to Authentication methods

Why to?

For now policy settings can be moved at your own pace but the procedure is completely reversible. While you specifically specify authentication methods for users and groups in the Authentication methods policy, you can continue to employ tenant-wide MFA and SSPR policies. When you’re ready to manage all authentication methods collectively in the Authentication methods policy, you finish the migration.

Legacy things to get rid of


See your existing MFA policies from

See what policy compares to what

Multifactor authentication policyAuthentication method policy
Call to phoneVoice calls
Text message to phoneSMS
Notification through mobile appMicrosoft Authenticator
Verification code from mobile app or hardware tokenThird party software OATH tokens
Hardware OATH tokens (not yet available)
Microsoft Authenticator

Self-service Password reset (SSPR)

Set Authentication methods from

And what methods are compared to what

SSPR authentication methodsAuthentication method policy
Mobile app notificationMicrosoft Authenticator
Mobile app codeMicrosoft Authenticator
Software OATH tokens
EmailEmail OTP
Mobile phoneVoice calls
Office phoneVoice calls
Security questionsNot yet available; copy questions for later use

What it should look like?

Under the old SSPR policies, disable the old methods, once you have matched them to the new ones.

Set Allow usage of Microsoft Authenticator OTP to Yes if Verification code from mobile app or hardware token is enabled in the traditional MFA policy.

Note! Number matching enforcement has started in the beginning of May

Manage migration

The legacy rules for self-service password reset and multifactor authentication will be phased out in January 2024, and you’ll control all authentication methods here in the authentication methods policy.

Still something missing?

You will see inside the Audit logs if you are missing something.

Complete migration

Once you are done, you will see this under Authentication methods.

Under the old MFA policies, you will see only grayed boxes as you cannot anymore revert back to them.

And inside the logs like this.


As we discovered in this post, number matching enforcement has been started globally and how easy it’s to migrate to Authentication Methods from those legacy policies.

Be prepared for them and educate, educate, test and enable!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *