Introduction
Some of you already have seen the message in the authentication methods menu: On September 30th, 2025, the legacy multifactor authentication and self-service password reset policies will be deprecated and you’ll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.
Others have received an email from Microsoft:
But what do admins have to do?
This blog post provides a detailed guide on how to migrate Microsoft Entra ID legacy policy settings, that separately control per-user multifactor authentication (MFA) and self-service password reset (SSPR) to the authentication methods policy.
Start the migration
The first step of the migration process involves auditing your existing policy settings. Navigate to the legacy MFA and SSPR policies, and note which method is configured and for which users (SSPR).
NOTE: Security questions have to be managed still through SSPR after the migration. This feature will be available soon in the authentication methods.
During the migration progress, you can already change the state of the migration under the authentication methods.
There you can change it to “Migration In Progress:”. With this option the new policy will aply to both sign-in and password reset scenarios for your users.
After the review, you need to update the Authentication methods policy to match your audit, considering each method one-by-one. The authentication methods let you target each method to all users or specific groups. In my case, almost all methods were already configured. With this migration, I had the opportunity to clean up some authentication methods my users shouldn’t use any more or add new users to different methods.
After updating the Authentication methods policy, you need to go through the legacy MFA and SSPR policies and remove each authentication method one-by-one, testing and validating the changes for each method. If you have removed every method, you will get a warning like the one in the screenshot.
Completing the migration
Once you determine that MFA and SSPR work as expected, and you no longer need the legacy MFA and SSPR policies, you can change the migration process to Migration Complete.
In this mode, Microsoft Entra only follows the Authentication methods policy. If you need to go back to the legacy policies for some reason, you can move the migration state back to Migration in Progress at any time.