In today's rapidly evolving digital landscape, ensuring robust security measures is paramount. Microsoft Entra ID (formerly Azure AD) has introduced new authentication methods that provide enhanced security and a more streamlined user experience. This blog will guide you through the process of migrating from legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policy settings to the new authentication methods in Entra ID.
Why Migrate to New Authentication Methods?
The new authentication methods in Entra ID offer several advantages over the legacy MFA and SSPR settings:
- Enhanced Security: The new methods leverage modern security protocols and technologies, providing better protection against threats.
- Improved User Experience: Users benefit from a more seamless and intuitive authentication process.
- Simplified Management: Administrators can manage authentication methods more efficiently through a unified interface and have the flexibility to only allow certain methods to certain users. Example is to only allow Voice Calls for users who do not have access to a mobile device to leverage the Authenticator App or a hardware token.
- Deadline: There is a deadline of September 2025 to be off the Legacy Authentication for MFA and SSPR. (Reference article here)
Steps to Migrate
- Assess Your Current Configuration
Before starting the migration, it's essential to understand your current MFA and SSPR configurations. Identify the policies in place and the users affected by these policies. This assessment will help you plan the migration process effectively.
Specific Tasks:
- Review existing MFA and SSPR policies in the Azure portal.
- Document the current settings and configurations.
- Identify the user groups affected by these policies.
- Gather feedback from users on their experience with the current authentication methods.
- Determine which users need which authentication methods enabled.
- Plan Your Migration
Create a detailed migration plan that outlines the steps, timeline, and resources required. Ensure that all stakeholders are informed and involved in the planning process. Consider running a pilot migration with a small group of users to identify potential issues and gather feedback. To complete planning, perform the following tasks:
- Develop a migration timeline with key milestones.
- Identify the resources needed, including personnel and tools.
- Communicate the migration plan to all stakeholders.
- Identity who will be enabled for each method and make sure that all active methods will be included as part of the pilot.
- Select a pilot group of users for initial testing.
- Prepare a rollback plan in case of any issues during the migration.
- Configure New Authentication Methods
In the Entra ID portal, navigate to the Authentication Methods section. Here, you can configure the new authentication methods, such as passwordless authentication, FIDO2 security keys, and the Microsoft Authenticator app. Ensure that the new methods align with your organization's security policies and user needs. This will require doing the following:
- Enable and configure the desired authentication methods.
- Ensure that the new methods comply with your organization's security policies.
- Document the new configurations for future reference.
- Configure MFA registration campaign.
- Configure necessary Conditional Access Policies.
During this configuration, each authentication method should be configured as appropriate including making sure that the Authenticator App will show all of the desired information to users to help make proper decisions when the request comes in.
It is important to note that the Authentication Methods section of Entra ID controls both MFA and SSPR methods from a single location. At this time, Security Questions is not supported so if that is in use, the legacy configuration within Password Reset configuration should remain and will be honored.
- Test and Validate
Before rolling out the new authentication methods to all users, conduct thorough testing to ensure everything works as expected. Validate that users can authenticate successfully and that the new methods provide the desired security and user experience improvements. Things can be adjusted as necessary based on the testing.
- Communicate with Users
Effective communication is crucial for a smooth migration. Inform users about the upcoming changes, the benefits of the new authentication methods, and any actions they need to take. Provide clear instructions and support resources to help users transition smoothly. The following should be performed as part of the communication efforts:
- Send out an initial announcement about the upcoming changes and the reasons behind them.
- Provide detailed instructions on how to use the new authentication methods.
- Offer training sessions or webinars to demonstrate the new methods.
- Create a FAQ document to address common questions and concerns.
- Set up a support channel for users to seek help during the transition.
- Monitor and Optimize
After and during the migration, continuously monitor the performance and effectiveness of the new authentication methods. Gather feedback from users and make any necessary adjustments to optimize the authentication experience including doing the following:
- Monitor authentication logs and reports in the Entra ID portal to identify any issues or anomalies.
- Conduct regular surveys to gather user feedback on the new authentication methods.
- Analyze the feedback and make adjustments to improve the user experience.
- Ensure that any issues are promptly addressed and resolved.
- Schedule periodic reviews to assess the overall effectiveness of the new methods.
- Offboard from Legacy MFA and SSPR Policy Settings
Offboarding from the legacy MFA and SSPR policy settings is the final step to ensure a smooth transition to the new authentication methods. Here are the steps to effectively offboard from the legacy policies:
- Turn Off App Passwords: In the legacy MFA settings, turn off app passwords to prevent users from using old applications with modern authentication.
- Remove IP Addresses: Remove any IP addresses specified in the legacy MFA settings. If they are still needed, add them to Named Locations in Azure AD.
- Uncheck Voice and Text for Authentication: Ensure that the ability to use voice and text for authentication is unchecked due to known vulnerabilities in these methods.
- Verify Trusted Devices: Verify that devices are not trusted in the legacy MFA console. This setting should be configured with sign-in frequency within conditional access.
- Disable Legacy Policies: Once the new authentication methods are fully configured and tested, disable the legacy MFA and SSPR policies to prevent any conflicts or security issues.
- Disable Users: Move users to a disabled state in the legacy Portal.
- Migration Complete: Mark the migration as completed in the Authentication Methods area of Entra ID.
Conclusion
Migrating to the new authentication methods in Entra ID is a strategic move that enhances security, improves user experience, and simplifies management. By following the steps outlined in this blog, you can ensure a smooth and successful migration process. Embrace the future of authentication with Entra ID and provide your organization with the robust security it needs in today's digital world. If you have any questions or need any help, please contact Spyglass MTG to help or plan for your next steps in migrating away from the legacy authentication solution for MFA and SSPR.