ID-06: Complete Authentication Methods Policy Migration

Overview

This guide walks you through completing the migration from the legacy per-user MFA and legacy Self-Service Password Reset (SSPR) method settings to the unified Authentication methods policy in Microsoft Entra ID, and setting the migration state to Migration Complete. Once migrated, every authentication method (passkeys, FIDO2, Microsoft Authenticator, SMS, voice, OATH tokens) is governed from one central policy instead of scattered legacy blades.

Control ID: ID-06 Category: Identity & Authentication Baseline Level: Level 1 (Recommended Secure) Severity: High License Required: None (works with Microsoft Entra ID Free and all Microsoft 365 plans)

Why This Matters

The legacy per-user MFA system cannot be centrally managed or monitored. Migrating to the unified Authentication Methods policy enables centralized control over passkeys, FIDO2, and all MFA methods.

Microsoft is retiring the legacy MFA and SSPR method-management experiences. Until you migrate, method controls live in two or three separate places, you cannot cleanly target modern methods like passkeys, and reporting is fragmented. Completing the migration is the foundation that later identity controls (passkey adoption, phishing-resistant MFA) build on.

Expected State

  • Authentication methods policy migration state is "migrationComplete"
  • Legacy per-user MFA settings are no longer active
  • All authentication methods are managed via unified policy

Prerequisites

RequirementDetails
Role RequiredAuthentication Policy Administrator or Global Administrator
License RequiredNone
AccessMicrosoft Entra admin center (entra.microsoft.com)

Before You Start

  1. Inventory legacy settings. Note which methods are enabled today in the legacy MFA service settings and in the legacy SSPR authentication methods page.
  2. Plan the target policy. Decide which methods you want enabled tenant-wide (recommended: enable strong methods like passkey/FIDO2 and Microsoft Authenticator, and disable or scope down SMS and voice).
  3. This is a one-directional operational change. Reproduce your legacy configuration in the unified policy before flipping the migration state to complete.

Time Estimate

TaskDuration
Review current migration state and legacy settings15 minutes
Reconfigure methods in the unified policy20-30 minutes
Move to "Migration in Progress" and validateValidation window (days, at your pace)
Set state to "Migration Complete"5 minutes
Total active work~45 minutes plus a validation window

TrueConfig Remediation

This is a manual control. TrueConfig detects and reports your migration state (for example, that it is still preMigration or migrationInProgress rather than migrationComplete), but the migration itself is completed by an administrator in the Entra admin center at Protection > Authentication methods > Policies. Use the walkthrough below to finish it.


Step-by-Step Instructions

Step 1: Check the Current Migration State

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Protection > Authentication methods > Policies.
  3. At the top of the page, find Manage migration. The state is one of:
    • Pre-migration (legacy settings still control behavior)
    • Migration in progress (unified policy controls behavior; legacy settings still visible)
    • Migration complete (target state)

Step 2: Reproduce Legacy Method Configuration in the Unified Policy

Before completing migration, make sure the unified policy reflects (and improves on) what your legacy settings did.

  1. Review the legacy method settings:
    • Legacy MFA: Users > Per-user MFA > service settings
    • Legacy SSPR: Protection > Password reset > Authentication methods
  2. In Authentication methods > Policies, enable and target the methods you want. Recommended:
MethodRecommendation
Passkey (FIDO2)Enable, target all users
Microsoft AuthenticatorEnable, target all users (passwordless / push)
SMSDisable or restrict to a scoped group
Voice callDisable
Temporary Access PassEnable for onboarding and key registration
Software / hardware OATH tokensEnable only if needed
  1. Save each method policy.

Step 3: Move to Migration in Progress

  1. In Manage migration, set the state to Migration in progress.
  2. In this state the unified policy is authoritative, but you can still see the legacy pages for comparison.
  3. Validate over a short period:
    • Users can register and use their expected methods
    • MFA prompts behave as intended
    • SSPR still works for enabled methods

Step 4: Set Migration to Complete

  1. Once validated, return to Manage migration.
  2. Set the state to Migration complete.
  3. From this point the legacy per-user MFA and legacy SSPR method settings no longer control behavior; the unified policy is the single source of truth.

Step 5: Confirm Legacy Settings Are Inactive

  1. Revisit the legacy per-user MFA service settings. They should no longer drive method availability.
  2. Confirm the unified policy in Authentication methods > Policies reflects your intended configuration.

Verification Checklist

  • Migration state shows Migration complete
  • All intended methods are enabled and targeted in the unified Authentication methods policy
  • Strong methods (passkey/FIDO2, Microsoft Authenticator) are enabled
  • Weak methods (SMS, voice) are disabled or tightly scoped
  • Legacy per-user MFA service settings no longer control method availability
  • Users can still register and use MFA and SSPR after migration
  • A Temporary Access Pass path exists for onboarding and key registration

Troubleshooting

"The migration state control is greyed out"

You need Authentication Policy Administrator or Global Administrator. Confirm your role, then reopen Manage migration.

"Users lost a method after I completed migration"

A method that was available under legacy settings was not enabled or targeted in the unified policy. Enable and target it in Authentication methods > Policies. This is why Step 2 (reproduce before completing) matters.

"SSPR stopped working for some users"

SSPR now honors the unified methods policy. Ensure the methods your SSPR flow relied on (for example, mobile phone or email) are still enabled and targeted, or move users to stronger methods.

"Can I roll back after completing?"

You can move back to Migration in progress if needed, but treat completion as final and validate thoroughly during the in-progress window first. Legacy MFA and SSPR method experiences are being retired by Microsoft, so plan to stay migrated.

"We still see the old per-user MFA 'enabled/enforced' states"

Per-user MFA enablement state is separate from method management. The recommended end state is MFA enforced through Conditional Access (see CA-01 and CA-02) rather than per-user MFA. Completing this migration governs the methods; Conditional Access governs when MFA is required.


Cost Considerations

ComponentCost Impact
LicenseNone. The Authentication methods policy is available on all tiers, including Entra ID Free.
OperationalOne-time configuration and a short validation window. No recurring cost.
Downstream valueUnlocks clean central management and reporting for modern methods, which later controls (ID-07 passkeys, ID-04 phishing-resistant MFA) depend on.

Related Controls

Additional Resources