Prepare mirgation for Upcoming MFA Server Deprication - Migrate from legacy MFA Server to Azure AD MFA

Shivam Koul 26 April

Want to combine your multifactor authentication (MFA) and self-service password reset (SSPR) policies into one neat package on Azure Active Directory (Azure AD)? Well, you're in luck because the Authentication methods policy can make that happen for you!

And the best part? You're in control of the whole migration process. You can migrate the policy settings whenever you want, and you can always switch back if you change your mind. Plus, while you migrate, you can still use your tenant-wide MFA and SSPR policies.

Once you're ready to take the plunge, you can configure authentication methods precisely for your users and groups in the Authentication methods policy. And voila, all your authentication methods are managed in one place!

Things to be checked before we start

To start, conduct an examination of your current policy configurations for every authentication method accessible to users. In the event of a migration rollback, it may be beneficial to have a comprehensive documentation of the authentication method settings from each of these policies, including the MFA policy, the SSPR policy (if utilized), and the Authentication methods policy (if utilized).

However, if you are not employing SSPR or have not yet implemented the Authentication methods policy, you will only require the settings from the MFA policy.

Assessing the former MFA policy

To begin, record the available techniques within the outdated MFA policy. Access the Azure portal with Global Administrator privileges and navigate to Azure Active Directory > Users > All users > Per-user MFA > service settings to examine the configurations. Since these settings are applicable to the entire tenant, specific user or group data is not required.



For each method, you will have to record if it is enabled for the tenant or not.

Assessing the former SSRS policy

To access the authentication methods offered by the outdated SSPR policy, navigate to Azure Active Directory > Users > Password reset > Authentication methods.




Make a note of the users who are eligible for SSPR, indicating whether it applies to all users, a particular group, or none at all. Additionally, document the authentication methods they have access to, taking into account that security questions cannot be managed within the Authentication methods policy at the moment, but should be noted for future reference.

Start the Migration

Once you have obtained the authentication methods that are available in the policies you are currently using, you may commence with the migration process. To begin, access the Authentication methods policy, then choose the option for managing the migration and select "Migration in progress".



The next steps will be to match the authentication method policies and to match it with the legacy ones. 

Finish the migration

Once you match all of legacy MFA with the Azure AD MFA, remove every authenticaton method form the legacy MFA one by one and save it. Removing the last authentication method might let you not to remove it, just refresh the page and try to untick it and save it again and it should be good to go. Now you can choose the "Finish Migration".






Shivam Koul

Posted by Shivam Koul

Hello I'm Shivam Koul. I'm thrilled to introduce myself as a tech writer with a passion for all things gadgets and gaming. I've always been fascinated by technology. But my interests don't stop there. I'm also a fan of enterprise technology and enjoy keeping up with the latest advancements in Microsoft Intune and System Center Configuration Manager (SCCM). I find it incredibly satisfying to explore these technologies and share my knowledge with others to help them optimize their productivity in the workplace.

Post a Comment

0 Comments