Migrate to the new MFA authentication policies

Microsoft is moving from MFA (multi-factor authentication) settings to MFA policies. They have also improved nearly all of the MFA and SSPR (self-service password reset) options. There’s mandatory migration underway and you have until later this month to get them into place voluntarily or Microsoft will do it for you. Don’t let your clients be surprised! Get ahead of this change. Microsoft has even built a migration procedure for you.

What does this mean for the end user?

It means less confusion about what they setup for authentication for resetting their password and what they use for MFA. It also means more modern secure MFA methods. All of the items have been updated and users will notice the changes in appearance of the MFA prompt.

modern MFA prompt

Migrate from settings to policies and adopt the new improved authentication methods

What follows is the policy settings and options that I have chosen. Whether you decide to choose what I have chosen or follow your own path, the steps will be the same.

Update the SSPR settings

Step 1:  Go to the Azure AD portal, click on Password reset. Click on properties. Make sure that self-service password reset is enabled for All.

self service password reset setings

In the same area, to go Authentication methods. Uncheck all except this one.

old authentication settings

Remove old MFA settings

Step 2: Go back to the Azure AD portal, and this time navigate to Security

  • Click into Multi-factor authentication, then in the main pane click the item list under Configure then Additional cloud-based multifactor authentication settings. You want everything here off, however, you will have to leave one item checked, notification through mobile app. Once you complete the process this final box will be unchecked.
old MFA settings

Assign new policies

Step 3: Go back to the Security section. This time click on Authentication Methods.

Assign the policies for each type of authentication to the groups that require it. Be sure to also look in the Configuration tab for each. Note that each has an option that allows it for password reset or login. Before we had separate settings for each, now they are combined.

Microsoft Authenticator settings

NEW MFA policy

On the configuration tab

MFA policy configuration

SMS Preview settings

NEW SMS policy

Temporary Access Pass settings

NEW Temporary access pass

On the configuration tab.

configuration for temporary access pass

Email OTP Preview settings

Email policy

On the configuration tab.

configuration for email OTP

Review the new policy

Once you have completed creating your authentication policy, it will look similar to the figure below.

complete MFA policy

Move the migration forward

At the top of the screen, click on Manage Migration and set to Migration In Progress. This is essentially a test phase where your legacy policies, if any, are still respected. Microsoft is scheduled to complete this migration by the end of February. At that time, you could move this forward to Migration Complete.

migration status

Finally go back and verify that the last checkbox is unchecked in step 2 above.

Read more about Azure AD in our blog.

All we do is support IT professionals. Microsoft 365 technical assistance, Newsletter, Security community, MSP Legislation community, Intune, Defender and Lighthouse community, Peer groups, Kits, papers, Business consulting and more. https://www.thirdtier.net

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 thoughts on “Migrate to the new MFA authentication policies”