Migrating from Legacy MFA policies

In the past one would have managed Azure AD MFA (oops Entra ID MFA, it’s now called I think) by visiting the Azure AD/ Entra portal and clicking “Per-user MFA” under “All Users.

That opens up a shitty looking portal where one can manage MFA settings. You can enable/ disable per user MFA (though we’ve mostly used Conditional Access policies to do that at the places I worked – this method requires a P1 license mind you) but also what methods a user can register for MFA. That’s under “service settings” of the shitty portal and there you have “verification options”.

This stuff is going away soon – by Sept 2024 for sure.

Now we have Authentication methods, under the “Protection” section of the Entra portal.

There you have the following:

As it stands, settings from both these portals are used. So I could have everything set to “No” in the new section but selected in the legacy portal, and users will get whatever is selected in the legacy portal. Or vice versa. What happens on Sept 2024 is that the legacy portal will be discontinued and only the new one used. You don’t have to wait until Sept 2024 though, you can switch over right away and be done with that shitty legacy portal.

Switching over is easy. Just click on “Manage migration”

and then select “Migration complete”.

Just going and doing that right could throw some errors though. 😊 In the first instance I got the following:

I have to go and disable all the methods in both the legacy portal and under SSPR policies. All.

So, 1) untick everything under the legacy portal:

And 2) turn off SSPR.

Neither of these sections are used post-migration, that’s why we disable them.

(Update: I should have been clearer. Once the migration is done, toggle this back to whatever it was before. It’s just that for the migration to work it needs no method selected, and there’s no way to do that except turn off SSPR. Once migration is complete, this can be turned on but none of the methods listed in this section will be used any more).

And that’s it, once done you can toggle that migration setting and it will succeed.

Post migration, only the settings in that section are used for MFA and SSPR. Nothing else.

You can enable the methods for All users or specific groups etc. More info on this process can be found in a Microsoft link.