5 min read
Why Device Code Flow Phishing Bypasses MFA in Microsoft 365
The most dangerous Microsoft 365 attack right now is the one that does not look like an attack.
3 min read
Nicole Walker
:
Updated on June 16, 2026
On September 30, 2025, Microsoft will retire legacy multi-factor authentication (MFA) and self-service password reset (SSPR) policies in Entra ID (formerly Azure Active Directory).
After that date, all authentication management must move to the unified Authentication Methods policy.
This migration combines controls for MFA, passwordless sign-in, FIDO2 keys, passkeys, and Microsoft Authenticator into a single policy. It simplifies administration and strengthens security. Organizations that do not migrate risk lockouts, loss of access to authentication methods, and compliance gaps.
On this episode of the Demystifying Microsoft podcast, host Nathan Taylor (SVP, Global Microsoft Practice Leader at the Sourcepass MCOE) and Nick Ross (CEO, CloudCapsule) break down the migration deadline and what it means for IT teams. They cover steps for a smooth transition and strategies to future-proof identity security.
The discussion focuses on the technical and operational impact of moving from legacy per-user MFA and SSPR controls to a unified, policy-driven approach in Entra ID.
Microsoft is retiring legacy MFA and SSPR policies and replacing them with a single Authentication Methods policy. This new policy allows unified configuration for all authentication scenarios, including passwordless sign-in, FIDO2 keys, passkeys, and Microsoft Authenticator. The goal is to reduce attack surfaces, simplify administration, and ensure consistent enforcement across the Microsoft cloud.
The migration disables weaker authentication methods by default. That includes:
SMS-based verification
Email one-time passcodes (OTP)
In their place, Microsoft is pushing adoption of stronger, phishing-resistant options:
Passkeys
FIDO2 security keys
Microsoft Authenticator
Organizations must review and enable required methods in the new policy to avoid user lockouts. Conditional Access policies should also be updated to enforce strong authentication for sensitive accounts and critical operations.
Passkeys and FIDO2 keys are modern, passwordless authentication methods. They use credentials tied to a specific user and device, which makes them resistant to phishing and token theft attacks. That puts then well ahead of SMS or email codes in terms of security.
Passkeys can be stored in Microsoft Authenticator or on hardware tokens. Support for passkeys continues to expand across platforms.
Legacy authentication methods will be disabled. Only methods configured in the new Authentication Methods policy will remain active. This can cause user lockouts and compliance gaps.
Enable phishing-resistant options such as Microsoft Authenticator, FIDO2 security keys, passkeys, and Temporary Access Pass. Avoid relying on SMS and email OTP, which are more vulnerable to attacks.
Audit all accounts to confirm each has at least one approved authentication method enabled in the new policy. Pay special attention to admin and break-glass accounts.
Audit existing methods, communicate changes to users, enable modern authentication options, update Conditional Access policies, and test with pilot groups before full rollout.
As Microsoft retires legacy authentication methods, organizations have a clear opportunity to strengthen identity security and compliance. Migrating to the unified Entra ID Authentication Methods policy simplifies management, reduces risk, and enables phishing-resistant sign-in options.
Sourcepass MCOE works with organizations to assess current configurations, implement best practices, and ensure a smooth transition to secure authentication.
Ready to discuss your migration plan? Connect with a Sourcepass MCOE expert to review your technical requirements and next steps.
For ongoing updates and guidance on Microsoft Entra ID, subscribe to the Demystifying Microsoft podcast.
5 min read
The most dangerous Microsoft 365 attack right now is the one that does not look like an attack.
5 min read
Attackers no longer need a password to take over a Microsoft 365 account. They just need a session token, and they are getting it after users...
6 min read
Identity is now the most targeted layer in enterprise security. Many organizations are still trying to manage it with disconnected tools that were...
1 min read
Attackers don’t just target users anymore. They exploit the gaps in the infrastructure that moves email across the internet. Encryption in transit...
1 min read
Token theft and phishing attacks in Microsoft 365 are increasing fast. Over half of surveyed organizations reported a breach in the past year.
1 min read
Email remains one of the most common ways attackers gain access to organizations. DNS, SPF, DKIM, and DMARC serve as identity checks that verify...