On September 30, 2025, Microsoft will retire legacy multi-factor authentication (MFA) and self-service password reset (SSPR) policies in Entra ID (formerly Azure Active Directory). All authentication management must transition to the unified Authentication Methods policy.
This migration consolidates controls for MFA, passwordless sign-in, FIDO2 keys, passkeys, and Microsoft Authenticator, streamlining administration and strengthening security. Organizations that do not migrate risk lockouts, loss of access to authentication methods, and compliance gaps.
In this episode of the Demystifying Microsoft podcast, host Nathan Taylor (SVP, Global Microsoft Practice Leader at the Sourcepass MCOE) and guest Nick Ross (CEO, CloudCapsule) explore the impact of Microsoft’s migration deadline, practical steps for a seamless transition, and strategies to future-proof identity security. The discussion covers the technical and operational implications of moving from legacy per-user MFA and SSPR controls to a unified, policy-driven approach in Entra ID.
Microsoft is consolidating authentication management by retiring legacy MFA and SSPR policies. The new Authentication Methods policy enables unified configuration for all authentication scenarios, including passwordless sign-in, FIDO2 keys, passkeys, and Microsoft Authenticator. This change is designed to reduce attack surfaces, simplify administration, and ensure consistent enforcement across the Microsoft cloud.
The migration disables weaker authentication methods by default, such as SMS and email OTP, and encourages adoption of phishing-resistant options like passkeys, FIDO2 keys, and Microsoft Authenticator. Organizations must review and enable required methods in the new policy to avoid user lockouts. Conditional Access policies should be updated to enforce strong authentication for sensitive accounts and critical operations.
Passkeys and FIDO2 keys are modern, passwordless authentication methods that use cryptographic credentials tied to a user and device. They block phishing and token theft attacks, offering a higher level of security than SMS or email codes. Passkeys can be stored in Microsoft Authenticator or on hardware tokens, and are increasingly supported across platforms.
As Microsoft retires legacy authentication methods, organizations face a critical opportunity to strengthen identity security and compliance. Migrating to the unified Entra ID Authentication Methods policy streamlines management, reduces risk, and enables modern, phishing-resistant sign-in options. Sourcepass MCOE works with organizations to assess current configurations, implement best practices, and ensure a seamless transition to secure authentication.
Ready to discuss your migration plan or explore advanced authentication solutions? Connect with a Sourcepass MCOE expert to review your technical requirements and next steps.
For ongoing updates and practical guidance on Microsoft Entra ID, subscribe to the Demystifying Microsoft podcast.