Modern vs Legacy Microsoft Entra MFA/SSPR Methods

Modern vs Legacy Authentication Methods

Legacy MFA and SSPR Policies

  • Managed separately:
    • Per‑user MFA policy (for multifactor authentication)
    • SSPR (Self‑Service Password Reset) policy (for password resets)
      These policies cannot be scoped granularly—they apply tenant-wide with no group-level targeting.
  • Deprecation planned: On April 25, 2025, Microsoft announced that legacy MFA and SSPR methods will be deprecated on September 30, 2025. After that date these policies will no longer manage authentication methods.

Modern Authentication Methods Policies

  • Unified management: A consolidated, granular policy that covers both MFA and SSPR methods. Admins can target all users, specific groups, or exclude groups enabling much finer control.
  • Supports modern, secure authentication methods:
    • FIDO2 (passkeys)
    • Windows Hello for Business
    • Certificate-based authentication (CBA)
    • Microsoft Authenticator (push & passwordless)
    • Temporary Access Pass (TAP), OATH tokens, etc.
    • Legacy methods like SMS and voice are still supported but also includes advanced options and more configuration flexibility.
  • Integration with Conditional Access:
    • Modern authentication methods integrate with Conditional Access policies to enforce MFA on certain conditions, such as every login to an application, or logins from external sources, etc.
  • Integration with Authentication Strengths:
    • Authentication Strengths: can be defined as built-in policies such as “Phishing‑resistant MFA” (only FIDO2, Windows Hello, or certificate-based), “Passwordless MFA strength”, etc., to enforce higher security based on scenario.
  • Improved configuration: Capabilities like customizing call greetings, filtering which phone types are valid, showing app sign-in location, and more—none are available in legacy experience.

Migration Overview: Legacy to Modern Policy

Migration Process & Phases

Some tenants (especially newer ones) may already be auto-provisioned in a post-migration state, without rollback options.

Migration order matters: The system checks the modern Authentication Methods first, then falls back to legacy only if a method isn’t enabled.

  1. Audit current legacy policies:
    • Check which authentication methods are enabled under per-user MFA and SSPR.
  2. Use migration wizard (recommended):
    • In the Microsoft Entra admin center, open the Authentication Methods > Policies section and start the guided migration.
    • The wizard audits legacy configurations and mirrors them into the new policy. You can customize before finalizing.
  3. Select migration status:
    • Pre-migration: Only modern policy applies to sign-in; legacy still active.
    • Migration in Progress: Both modern and legacy policies apply.
    • Migration Complete: Only modern policy governs—legacy is ignored (except SSPR security questions, which still remain).
  4. Finalize migration:
    • After testing, set status to Migration Complete to disable legacy controls permanently. You can roll back to “In Progress” if needed during transition.
    • Microsoft clarifies there should be no disruption to user authentication during this migration process if follow the steps.
  5. Post-migration cleanup:
    • Remove or disable legacy settings like “remember MFA,” trusted IPs, and per-user enforcement these are outdated and pose security risks.