Introduction
Microsoft has officially announced the deprecation of legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies. Organizations are now encouraged to shift to a unified approach using Authentication Methods policies in Microsoft Entra ID. This change not only simplifies management but also improves the end-user experience through consistent policy enforcement.
In this blog, we’ll explore:
- How combined security information registration works today
- How to manage authentication methods in Microsoft Entra
- Step-by-step guidance to migrate from legacy MFA and SSPR policies to the new Authentication Methods policy
1.Combined Security Info Registration – A Unified Experience
Before combined registration, users had to register their authentication methods separately for Microsoft Entra multifactor authentication (MFA) and self-service password reset (SSPR). This often led to confusion, as the same methods—like phone numbers or authenticator apps—were required for both, but had to be entered twice. With the introduction of combined registration, users now only need to register once to enable both MFA and SSPR, simplifying the experience and reducing friction.
Methods available in combined registration
Combined registration supports various authentication methods and related actions, as outlined in the table below. Users can manage their registered methods—including adding, changing, or deleting them directly from the Mysecurityinfo page.
Important Notes:
- If Microsoft Authenticator is enabled for passwordless sign-in in the Authentication Methods policy, users must also enable passwordless sign-in within the Authenticator app on their device.
- The Alternate phone method can only be registered from the Security info (manage mode) page, and it requires Voice calls to be enabled in the Authentication Methods policy.
- The Office phone method has two behaviors:
- In Interrupt mode, it requires that the user’s Business phone attribute is set in their Entra ID profile.
- In Manage mode, users can manually add their Office phone from the Security info page without requiring the Business phone attribute.
- App passwords are available only to users enforced for per-user MFA. They are not available for users who are enabled for MFA via Conditional Access policies.
Combined Registration
Interrupt Mode: A guided, wizard-style experience that appears during sign-in when users are prompted to register or update their security info.
Manage Mode: Accessible from the user’s profile, this mode allows users to manage their security information at any time (Users can add methods, delete or change existing methods, change the default method).
MFA & SSPR Registration flow
When both Multifactor Authentication (MFA) and Self-Service Password Reset (SSPR) policies are enabled, combined registration may interrupt users at sign-in to collect or refresh security info. These policies determine:
- Whether registration is prompted during sign-in
- Which authentication methods are shown
If only an SSPR policy is enabled, users can skip registration and complete it later.
Scenarios that Trigger Registration Prompts:
- MFA enforced via Entra ID Protection or per-user MFA: Prompted at sign-in to register both MFA and SSPR methods (if enabled for SSPR).
- MFA enforced via Conditional Access or other policies: Prompted when accessing resources requiring MFA.
- SSPR registration enforced: Prompted at sign-in to register SSPR methods.
- SSPR refresh enforced: Prompted to review and confirm or update existing security info at configured intervals.
Registration Behavior
- Users see the minimum number of required methods, shown in order from most to least secure.
- If both MFA and SSPR registration are required and SSPR requires two methods, users:
- Must register one MFA method first (e.g., Microsoft Authenticator).
- Can register a second method from either MFA or SSPR options (e.g., phone, email, security questions).
Example:
A user enabled for SSPR (requiring two methods) sees Microsoft Authenticator and phone by default. They can choose to replace either with email.
During registration, users can select “I want to set up a different method” to pick from available options—determined by the Authentication Methods policy configured for the tenant.
Important:
1. If your organization enforces a Conditional Access policy requiring MFA for security info registration, users must complete multifactor authentication before accessing their security settings—regardless of whether they’re in interrupt mode or manage mode. This ensures their identity is properly verified before they can view or modify authentication methods.
2.To enhance security without disturbing user experience, ensure that security info registration is restricted to untrusted locations. This helps prevent attackers—especially in adversary-in-the-middle (AiTM) attacks—from registering their own MFA methods after compromising a user account.
3. By default, combined registration requires MFA-capable users to strongly authenticate before registering or managing their security info. If the user is already signed in and has recently completed MFA, no further prompt is shown—except when adding or modifying a passkey (FIDO2), which requires a fresh MFA within the last 5 minutes. Otherwise, the user is asked to re-authenticate.
Note: Combined registration sessions are valid for only 15 minutes. If actions exceed this window, the session expires and the user must sign in again to continue.
2.Managing Authentication Methods in Microsoft Entra
With legacy MFA and SSPR policies being phased out, the Authentication Methods policy is now the central and recommended approach for managing authentication methods in Microsoft Entra ID. It supports a wide range of options including modern passwordless methods allowing administrators to tailor configurations that balance security, user experience, and business needs.
Key Capabilities of the Authentication Methods Policy
- Enables methods like Microsoft Authenticator, FIDO2, Windows Hello for Business, voice calls, SMS, and more.
- Supports scoping to all users or specific groups (not individual users).
- Allows fine-grained configuration, such as enabling:
- Only mobile or office phones for voice calls
- Additional context in Microsoft Authenticator (e.g., app name, sign-in location)
Some authentication methods—like passwords or FIDO2 security keys—can be used as a primary sign-in factor for applications or devices. Others are only available as secondary factors, used during Microsoft Entra multifactor authentication (MFA) or self-service password reset (SSPR).
| Method | Primary Authentication | Secondary Authentication |
|---|---|---|
| Windows Hello for Business | Yes | *MFA |
| Microsoft Authenticator push | No | MFA and SSPR |
| Microsoft Authenticator passwordless | Yes | **No |
| Microsoft Authenticator passkey | Yes | MFA |
| Authenticator Lite | No | MFA |
| Passkey (FIDO2) | Yes | MFA |
| Certificate-based authentication (CBA) | Yes | MFA |
| Hardware OATH tokens (preview) | No | MFA and SSPR |
| Software OATH tokens | No | MFA and SSPR |
| External authentication methods (preview) | No | MFA |
| Temporary Access Pass (TAP) | Yes | MFA |
| Text | Yes | MFA and SSPR |
| Voice call | No | MFA and SSPR |
| QR code (preview) | Yes | No |
| Password | Yes | No |
**Passwordless sign-in can be used for secondary authentication only if CBA is used for primary authentication
Note: Some methods are only valid for authentication (e.g., FIDO2, Windows Hello), while others (e.g., security questions) are only used for password reset. Use Authentication Strengths to control which methods are allowed per scenario.
How Policies Interact
- Settings are not synced between policies (legacy MFA, legacy SSPR, and Authentication Methods), so each policy acts independently.
- A method must be disabled in all policies to fully block it.
- Example: If a user in the HR group tries to register Microsoft Authenticator:
- Entra checks the Authentication Methods policy.
- If not allowed, it checks the legacy MFA policy for app-based options.
- If still not allowed, it checks the legacy SSPR policy.
⚠️This layered behavior can lead to unexpected access for instance, if voice calls are disabled in Authentication Methods but allowed via Mobile phone in SSPR, users may still see voice call as an option.
Authentication Methods Policy Known Limitations
- Targeting individual users is no longer supported; move them to group-based targeting.
- Policy changes may fail to save if:
- Too many groups are included
- The policy size exceeds the 20 KB limit
- You're running large registration campaigns
To avoid issues, consolidate smaller groups into a single group per method, and add/remove groups in one operation during policy updates.
How to Configure Authentication Methods Policy
To configure the Authentication Methods policy:
Sign in to the Microsoft Entra admin center as an Authentication Policy Administrator (Least Privileged).
Navigate to Entra ID > Authentication methods > Policies.
Enable, configure, and assign each method to appropriate groups.
3.Migrating from Legacy MFA & SSPR Policies
Microsoft announced the deprecation of legacy Multifactor Authentication (MFA) and Self-Service Password Reset (SSPR) policies in March 2023. Starting September 30, 2025, these legacy policies will no longer support managing authentication methods. Organizations should begin migrating to the modern Authentication Methods policy in Microsoft Entra ID to ensure uninterrupted management of sign-in and password reset experiences.
Understanding Legacy Policies
Currently, Authentication methods were configured in two separate locations:
To access legacy MFA settings:
In the Microsoft Entra portal, go to Users > All users, then select Per-user MFA from the top menu.
To Access SSPR Settings
In the Microsoft Entra portal, navigate to Protection > Password reset.
These legacy policies apply tenant-wide, without support for targeting specific user groups or offering fine-grained control(Only Self-Service Password Reset (SSPR) can be scoped to All users or specific groups—not the individual password reset methods themselves.).
🔔 Example: The mobile phone setting in SSPR allows both SMS and voice calls, without an option to limit one.
Microsoft Entra respects all enabled authentication methods—across both legacy and new policies. A method remains available unless disabled in all locations. This can cause unintended overlap:
- Example: If voice calls are disabled in Authentication Methods but allowed in legacy SSPR, users may still use them.
- Similarly, enabling Mobile phone in legacy SSPR activates both SMS and voice, even if only SMS is intended.
Migration Options
Migration from legacy policies can be done in two ways:
1. Automated Migration Guide
Available in Entra ID > Authentication methods > Policies > Manage migration>Begin automated guide
- Automatically audits and maps your current MFA/SSPR settings
- Recommends enabling matching methods in the new policy
- Allows further configuration before confirming the switch
- Once confirmed, legacy policies are grayed out and ignored
Review the instructions carefully. As discussed earlier, you should validate which SSPR and legacy MFA settings are currently enabled before migrating to the Authentication Methods policy.
Select Next to continue with the Migration
Validate the Authentication Methods policies to determine which methods should be enabled and which user groups should be assigned specific methods. Once the migration is complete, you can configure additional settings and customizations directly within the Authentication Methods policy.
Select Migrate to proceed with Migration
Migration Confirmation screen select Continue to proceed with Migration
Once the migration is complete, the Migration Status will be updated to Complete
You can still revert to the previous state if needed (from Migration Complete to Migration In Progress)
Once the migration is complete, the SSPR authentication methods will appear grayed out, with only Security questions remaining manageable in this section.
A banner will be displayed stating:
Note: These methods are now being managed in the Authentication Methods policy. Go there to manage methods used for password reset and authentication.”
While Security questions are still managed here, it is recommended to use more secure authentication methods for account recovery.
In the legacy Per-user MFA service settings, all verification options will be completely disabled once migration is complete. A banner will appear stating:
"These methods are now being managed in the Authentication Methods policy. Go there to manage methods used for authentication and password reset."
⚠️ Security Questions are still managed via the legacy SSPR policy. Until migration support is added, keep them enabled there if required.
2. Manual Migration
Recommended if you need full control or wish to proceed graduallySteps:
- Audit current settings in legacy MFA and SSPR policies
- Document method mappings and availability
- Configure the equivalent methods in the new Authentication Methods policy
- Gradually phase out legacy configurations
Migration is fully reversible while in progress. However, once set to Migration Complete, reverting will require providing feedback to Microsoft.
Final Recommendation
- Begin your migration early to avoid last-minute disruptions. The Authentication Methods policy not only simplifies administration but also strengthens your organization's security posture with support for modern, phishing-resistant authentication methods.
- Changes made in a home tenant (e.g., removing SMS as a method) do not automatically apply to resource tenants(During B2B Collaborations). To avoid confusion and ensure authentication methods are properly managed per tenant: In the Microsoft Entra admin center, click your account name in the top-right corner and select Switch directory to access and update the correct tenant’s settings.
Conclusion
As Microsoft moves toward modern, secure identity management, transitioning from legacy MFA and SSPR policies to the Authentication Methods policy is no longer optional—it’s essential. This unified approach not only simplifies administration but also enhances user experience and security across sign-in and password reset scenarios.
By planning your migration early, validating existing configurations, and leveraging tools like the Migration Guide in the Entra portal, your organization can ensure a smooth, controlled transition. Embrace the shift now to stay ahead of evolving authentication standards and better protect your digital estate.
0 Comments