A Comprehensive Guide to Migrating from Legacy MFA to Modern MFA in Entra ID

Microsoft has recently announced that they will retiring be the ability to manage authentication methods in the legacy Multifactor Authentication (MFA) and Self-Service Password Reset (SSPR) policies in Entra ID on September 30th, 2025. They had further mentioned that organizations should migrate their methods to the converged authentication methods policy where methods can be managed centrally for all authentication scenarios including passwordless, multi-factor authentication and self-service password reset before the given date.

Microsoft Official Announcement

Official Announcement from Microsoft

Attention: Deadline for the migration is 30^th September 2025

With careful planning and execution, this transition can be made seamless and secure. Because I recently went through this process, and I want to share my experience, along with a step-by-step guide to help you successfully upgrade your MFA methods.

So, my friends, this guide outlines the essential steps for successfully migrating legacy MFA methods to modern authentication in Entra ID, ensuring a smooth and secure transition.

Why Upgrade to Modern MFA?

Before diving into the migration process, let’s take a closer look at why we need these modern MFA methods. So, these are the key facts that I observed about modern MFA.

Legacy MFA methods, while effective in the past, no longer provide the necessary level of protection against modern threats such as phishing, credential stuffing, and MFA fatigue attacks. Modern MFA methods offer several key advantages

• Stronger Security - Modern authentication includes phishing-resistant MFA methods such as FIDO2 security keys, Passwordless MFA and Windows Hello for Business.
• Improved User Experience - Features like Passwordless authentication and Microsoft Authenticator reduce authentication friction.
• Enhanced Conditional Access Capabilities - Seamless integration with Conditional Access policies ensures adaptive and context-aware authentication.
• Regulatory Compliance - Many organizations must comply with security standards that mandate stronger authentication mechanisms.

Now, let’s talk about what are the key steps that we need to take during the migration process. 

1. Step 01 - Audit the current MFA and SSPR policies in Entra ID.
2. Step 02 - Set up the new unified authentication methods policy.
3. Step 03 - Change the migration status to Migration in Progress.
4. Step 04 - Disable current MFA and SSPR authentication methods.
5. Step 05 - Change the migration status to Migration Complete.
6. Step 06 - Test the functionality and Troubleshooting.

Step 01: Audit the current MFA and SSPR policies in Entra ID.

The first step we need to take is to review our current MFA and SSPR policies, including the conditional access policies that are embedded with these MFA methods. Also, it is better to make notes and get screenshots of the current set up so in case there are issues, we can quickly revert the changes.

Legacy SSPR Settings

Existing MFA Methods

Step 02: Set up the new unified authentication methods policy.

Now we need to define and set up the new MFA methods that we are migrating into. Then go through each method and enable the ones we need to use. In my case, I selected Microsoft Authenticator and Temporary Access Pass as the authentication methods.

SMS is less secure than other methods and Microsoft recommends using Pass Keys (FIDO2), Temporary Access Pass and Microsoft Authenticator (push & passwordless) as the authentication methods to enhance and maintain zero-trust security.

According to my personal experience, I highly recommend to implementing these modern MFA methods to a pilot group like IT Staff first instead of applying to all users of the tenant. By doing this, we can reduce the disruption of business operations.  And the other important thing is, A successful migration requires effective communication and training. To meet that requirement, I sent an announcement email to all users by informing them about the upcoming changes. Also, we created guidance for registering with new MFA methods so users can follow along with that guidance. This was reduced the IT administrative burden also.

Configure Modern Authentication Methods

Configure Authentication Strengths

Step 03: Change the migration status to Migration in Progress.

Once we choose our defined and configured the MFA policies, now it's time to start the migration process. There are two options in the Migration Process that we can perform.

• Manual Migration Process.
• Automated Guided Process.

Here is how the Automated Migration Process wizard shows. 

Automated Migration Wizard

Automated Migration Guide

In my case, I used the manual process due to some requirements of our environment. Since I decided to disable SMS based MFA, I had to change the default MFA method from SMS to MFA app of all our users before starting the migration. Also, I needed to make sure that all users can login to their user accounts without having any authentication issues. During the preparation, we can set the migration status as “Migration in Process” until we completed the new changes.

To register the users who didn’t register with an App based authentication method, I used a registration campaign and gave them a deadline for the registration. This had helped me to complete that task more accurately and effectively.

Registration Campaign

Step 04: Disable current MFA and SSPR authentication methods.

The main point is, we won’t be able to complete the migration process until we disable current MFA and SSPR methods. After completing all the requirements of the new MFA methods, we can disable these old MFA and SSPR methods by navigating to the Per User Authentication Methods settings and Password Reset settings of the Entra ID security center. You can refer the step 01 to identify the settings and configurations.

Step 05: Change the Migration Status to Migration Complete

After disabling the SSPR plus old MFA methods and as the Final step of the migration process, we can go back to the new authentication methods policy page from Step 3, click manage migration then tick Migration Complete and click Save. Then we should see a notification in the top right of our screen that the migration is now complete. From now on, we will be able to manage the MFA and SSPR authentication methods in a single policy that we just set up.

Complete the Migration Process

In addition to these steps, we can implement conditional access policies to strengthen the security of the user accounts. Also, we can use device compliance policies like corporate owned devices, device compliance policies, Geo Based conditional access policies, Block legacy authentication protocols. These implementations are adding an extra layer of security to ensure the proper safety on Entra ID users and devices.

Step 06: Further Monitoring and Troubleshooting

Once we have done all the steps of the migration process, we may need to monitor the login flows of the users and keep an eye on sign-in issues of the users. If some users are getting authentication issues, we should find out the reasons for it and can implement solutions based on the issues.

Key Takeaways

During the migration process, here are a few key takeaways that I realized.

• User Training is Crucial: Some issues were raised due to users being unfamiliar with new MFA methods.
• Monitoring is Key: Proactively analyzing sign-in logs helped us identify and resolve issues quickly.
• Fallback Options Are Necessary: Having backup authentication methods ensured users could still access accounts if they faced MFA issues.

Final Thoughts

Migrating from legacy MFA to modern MFA in Entra ID is a crucial step toward strengthening an organization’s security posture. By following a structured approach that includes assessment, testing, user education, and gradual enforcement, organizations can ensure a smooth transition with minimal disruption.

With the increasing sophistication of cyber threats, adopting phishing-resistant authentication methods and enforcing Conditional Access policies are no longer optional. They are essential for safeguarding identities and data.

Organizations looking to enhance their security should begin their MFA modernization journey today to ensure a more resilient and user-friendly authentication experience.

If you’re considering this migration, I highly recommend following a structured approach like the one I shared.

Have you gone through a similar transition? I’d love to hear about your experiences and any additional insights you might have!

Also, I would like to invite you to read my other articles as well:

Cloud Computing
How to Guides
Tech News
Microsoft Intune
Microsoft Entra ID

To stay updated on the latest tech news & trends and deep dives into Microsoft products, make sure to subscribe to Learn with D. Together, let's continue to explore and learn!