Update October 2024: Microsoft created new migration wizard. Read about this new migration method before you start here:
Hello folks. In March 2023 Microsoft announced that they will deprecate Per User MFA portal / Legacy MFA portal + Legacy SSPR ( Self Service Password Reset ) in September 2024. The deprecation date is now extended to 30 September 2025.
So, how to start the migration? First of all, go to entra.microsoft.com and sign in with your global admin account. Go to Identity in the left menu --> Users -->Press Per User MFA on the top
You will be redirected to another page, press then Service Settings
Note which verification settings you have enabled here
Now go to Protection --> Password Reset and Authentication methods in the left menu and note which methods is available for users in here, remember to look at Properties and note the scope of users.
Here is a table from Microsoft learn which shows all SSPR capable methods
Don’t close this two portals and go to entra.microsoft.com again and go to Protection --> Authentication methods in the left menu
Match authentication methods from Legacy MFA portal and SSPR portal in here. Don't forget to match the user scope. If you want to allow some methods to all users then feel free to do that. Be careful with disabling methods for all users, find out how is using this methods, before you do that.
Now you can return to Legacy MFA portal and switch deactivate all methods and press Save
Done here
Now go to SSPR portal and Authentication settings and deactivate all settings there too and press Save
Go back to Authentication methods in Entra ID, press Manage Migration and choose Migration Complete and Save.
DONE!
Now, if you go back to Legacy MFA portal, you will see this message here
Same message will appear if you go back to SSPR portal and press Authentication Methods
Now you don't need to think about the deprecation date more and you can control all you authentication methods in one portal in Entra ID.
It's possible to roll back to Legacy MFA portal and SSPR portal if you need that for some reasons. You can do this before deprecation date by switching the migration state back to Migration in Progress and enabling all methods if those to portals.
PS: It's of course not recommended to use EMAIL OTP, Voice and SMS as authentification methods anymore, enforce Passkeys for better security on your user accounts. If your users can't use passkeys for sign in, then you can set up Intune and require compliant device policy in Conditional Access.. Admin accounts should only use phishing resistant methods like security keys. I will write more about best practices on admin accounts in another post later.
Comments