Migrating Legacy MFA & SSPR to Authentication Methods Policy for Microsoft Entra ID

Рет қаралды 7,084

Күн бұрын

You can migrate Microsoft Entra ID legacy policy settings that separately control multifactor authentication and self-service password reset (SSPR) to unified management with the Authentication methods policy.
You migrate policy settings on your own schedule, and the process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy. You complete the migration whenever you're ready to manage all authentication methods together in the Authentication methods policy.
learn.microsof...
If the migration didnt succeed after you disable the legacy authentication methods options,
you can try to disable " Allow users to create app passwords to sign in to non-browser apps" in MFA configuration,
and put as do not allow temporary

Пікірлер: 29

@saiabhilash3151 9 ай бұрын

Thank you so much sir . I was struggling to understand this concept .You made it so simple .Thanks so much

@hachadwick 5 ай бұрын

much more clear than the MS docs...thank you!

@arseni.paharelau 8 ай бұрын

Thank you! The migration only took me 5 minutes!

@reginaldomoreno9898 4 ай бұрын

One more question, Could I back to "migration in progress" if anything is wrong after changed to "migration completed"?

@AL-Techs 4 ай бұрын

Yes... you can

@gregchin6456 5 ай бұрын

My tenant says I need a license for Multi Factor Authentication. What is the difference between that and using Microsoft Authenticator.

@AL-Techs 5 ай бұрын

Microsoft Authenticator is one method of the multi factor authentications, including emails- sms- voice call- hardware token .

@rahulsaikh893 2 ай бұрын

Thanks

@sarah1989896 8 ай бұрын

thank you, its so helpfull

@LV13619 3 ай бұрын

Thank you for the informative guide. Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled. Additionally, SSPR is disabled (never was enabled) If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?

@AL-Techs 3 ай бұрын

You will need to apply Conditional Access policy in all cases, and for the excluded users, put them in a group and exclude them from excluded users in that policy...

@AL-Techs 3 ай бұрын

If you need any help, i will be happy to assist and for free...

@LV13619 3 ай бұрын

@@AL-Techs i do have a CA in place targetting only the required group of accounts which should have to configure & go through MFA while accessing MS365 services. So when migrating, if i enable - MS Authenticator & SMS, as examples - and set it to All users, this migration/change shouldn't really apply to "All Users", right? but only the group which is defined in CA. Is my understanding correct?

@AL-Techs 3 ай бұрын

@@LV13619 you can apply to specific group too. but it should as per the policy applied and SSPR..

@onsiteservice3370 8 ай бұрын

👍

@andrewenglish3810 6 ай бұрын

what about existing users who are on MFA using the app do they need to re-authenticate with Microsoft?

@AL-Techs 6 ай бұрын

There's no requirement for re-authenticating MFA. However, please ensure to implement a conditional access policy for all users before disabling per-user MFA. I trust this addresses your query

@AL-Techs 6 ай бұрын

If the policy is already in place and a migration occurs, there's absolutely no need for re-authentication

@andrewenglish3810 6 ай бұрын

@@AL-Techs And what if I cannot access a CAP because I use Entra ID Free, yet MS is asking me to setup SSPR?

@AL-Techs 6 ай бұрын

@@andrewenglish3810 As per the below link from Microsoft, you can check what is eligible for Entra ID Free learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-licensing#compare-editions-and-features

@AL-Techs 6 ай бұрын

for a temporary workaround you may license at least one user with Entra ID P1 or M365 E3 for example, then you will have these features... temporary workaround...@@andrewenglish3810

@TheCyberSnacks 11 ай бұрын

Great work Kalakech

@AL-Techs 11 ай бұрын

welcome bro

@hayenchinguyen3367 8 ай бұрын

Sir, I want to ask that before the migration, I need to enable the CAP and modern authentication methods + disable verification methods in service-settings and SSPR options, but do I also need to disable the "enforced" per-user MFA as well?

@AL-Techs 8 ай бұрын

yes disable per-user MFA for all users. CAP will replace that (use a template to enable MFA for users)

@hayenchinguyen3367 8 ай бұрын

thank you so much!

@reginaldomoreno9898 8 ай бұрын

Thanks for your presentation. It's fine. Could you answer one thing? How will automatic password reset work after migration?

@AL-Techs 8 ай бұрын

You enable and disable from SSPR in entra ID, but you will use the authentication methods from security tab

@prasadhande849 3 ай бұрын

@@AL-Techs wonderful. You made it simple and straight forward. I liked it very much.