Microsoft is retiring the legacy Multifactor Authentication (MFA) and Self-Service Password Reset (SSPR) policies in Microsoft Entra ID (formerly Azure Active Directory) on September 30th, 2025. After this date, all authentication method management must be handled through the unified Authentication Methods policy in the new Entra portal. 

What’s Changing? 

Key changes include:

• Legacy MFA and SSPR policies will no longer be supported. 

• All authentication methods, including passwordless, FIDO2, Temporary Access Pass, and Microsoft Authenticator, must be managed centrally in the new Authentication Methods policy. 

• The migration process can be completed manually or via an automated wizard in the Entra admin centre. 

What Happens If You Don’t Migrate (or Miss an MFA Method)? 

If you do not migrate your authentication methods to the new Entra portal by the September 30th deadline, any Multi-Factor Authentication (MFA) method not explicitly included in the new Authentication Methods policy will no longer be available to your users. This means:

• Users will lose access to excluded methods: If a user previously relied on a method (such as SMS, voice call, or a specific authenticator app) that is not enabled in the new policy, they will not be able to use it for sign-in or verification after the deadline.

• Your admin accounts could be locked out: If the MFA method you use for your Global Admin or break glass accounts are not enabled in the Authentication Methods portal, those accounts will be inaccessible.

• Potential lockouts: Users who have not registered an alternative, approved method may be unable to complete MFA challenges, resulting in lockout.

• No fallback to legacy settings: The legacy MFA and SSPR policies will be fully retired. There is no automatic fallback, only the methods configured in the new Authentication Methods policy will be enforced. 

Action Required: Review your Authentication Methods policy in the Entra portal and ensure all required MFA options are enabled and assigned to the appropriate users or groups.  

How to Migrate Your Entra Authentication Methods

1. Log in to the Microsoft Entra admin center. 

2. Navigate to: Entra ID → Authentication Methods → Policies. 

3. Use the automated migration guide or follow the manual steps to consolidate your settings.

4. Review and update your authentication methods, prioritizing modern, secure options.

Is there a rollback if I make a mistake? 

If you get locked out you will have to raise a ticket with Microsoft, however if your tenant has a GDAP partner relationship with a Microsoft partner such as Enterprise Solutions we can change the authentication methods for you.

Don’t wait until the last minute.
Start your migration today to ensure a seamless transition and maintain a strong security posture. 

If you have any questions or need further assistance, please don’t hesitate to reach out to us at asktheexpert@enterprise-solutions.ie. Our team of Microsoft experts is ready and eager to help you with any challenges your organisation may be facing.

Reference:

https://learn.microsoft.com/en-gb/entra/identity/authentication/how-to-authentication-methods-manage