Sourcepass MCOE Blog

Microsoft Entra ID Authentication Migration | Sourcepass MCOE

Written by Nicole Walker | Sep 29, 2025 1:00:00 PM

On September 30, 2025, Microsoft will retire legacy multi-factor authentication (MFA) and self-service password reset (SSPR) policies in Entra ID (formerly Azure Active Directory). 

After that date, all authentication management must move to the unified Authentication Methods policy. 

This migration combines controls for MFA, passwordless sign-in, FIDO2 keys, passkeys, and Microsoft Authenticator into a single policy. It simplifies administration and strengthens security. Organizations that do not migrate risk lockouts, loss of access to authentication methods, and compliance gaps.

 

What is Changing with Microsoft Entra ID Authentication Methods?

 

On this episode of the Demystifying Microsoft podcast, host Nathan Taylor (SVP, Global Microsoft Practice Leader at the Sourcepass MCOE) and Nick Ross (CEO, CloudCapsule) break down the migration deadline and what it means for IT teams. They cover steps for a smooth transition and strategies to future-proof identity security. 

The discussion focuses on the technical and operational impact of moving from legacy per-user MFA and SSPR controls to a unified, policy-driven approach in Entra ID. 

 

 

 

Timestamped Key Moments

 

  • 00:00 Introduction and overview of the migration deadline
  • 01:05 — Legacy MFA and SSPR: What’s being retired
  • 04:14 New Authentication Methods policy and its security benefits
  • 06:27 — Impact on users: SMS and email OTP changes and stronger authentication
  • 09:16 — Conditional Access policies and best practices for layered security
  • 17:23 — Passkeys and FIDO2: Phishing-resistant authentication explained
  • 21:09 — Temporary Access Pass for secure onboarding and device registration
  • 33:29 — Self-service password reset: Security risks and recommendations
  • 39:31 — Business Premium and Defender Suite for enterprise protection
  • Outro — How to learn more and connect with experts

 

What is the Microsoft Entra ID Authentication Methods Migration?

 

Microsoft is retiring legacy MFA and SSPR policies and replacing them with a single Authentication Methods policy. This new policy allows unified configuration for all authentication scenarios, including passwordless sign-in, FIDO2 keys, passkeys, and Microsoft Authenticator. The goal is to reduce attack surfaces, simplify administration, and ensure consistent enforcement across the Microsoft cloud.

 

How does the Migration Affect Security and User Experience?

 

The migration disables weaker authentication methods by default. That includes: 

  • SMS-based verification

  • Email one-time passcodes (OTP)

In their place, Microsoft is pushing adoption of stronger, phishing-resistant options: 

  • Passkeys

  • FIDO2 security keys

  • Microsoft Authenticator

Organizations must review and enable required methods in the new policy to avoid user lockouts. Conditional Access policies should also be updated to enforce strong authentication for sensitive accounts and critical operations.

 

What are Passkeys and FIDO2 Keys, and Why do they Matter?

 

Passkeys and FIDO2 keys are modern, passwordless authentication methods. They use credentials tied to a specific user and device, which makes them resistant to phishing and token theft attacks. That puts then well ahead of SMS or email codes in terms of security.

Passkeys can be stored in Microsoft Authenticator or on hardware tokens. Support for passkeys continues to expand across platforms.

 

What Should Organizations do to Prepare?

 

  • Audit current MFA and SSPR configurations in the Entra admin center
  • Use the automated migration guide to consolidate settings
  • Enable modern authentication methods such as passkeys, FIDO2, Microsoft Authenticator
  • Update Conditional Access policies to enforce strong authentication for admins and sensitive accounts
  • Test configurations with pilot groups to prevent lockouts
  • Communicate changes to users and provide support resources

Advance your Authentication Strategy with Sourcepass MCOE

 

As Microsoft retires legacy authentication methods, organizations have a clear opportunity to strengthen identity security and compliance. Migrating to the unified Entra ID Authentication Methods policy simplifies management, reduces risk, and enables phishing-resistant sign-in options.

Sourcepass MCOE works with organizations to assess current configurations, implement best practices, and ensure a smooth transition to secure authentication.

Ready to discuss your migration plan? Connect with a Sourcepass MCOE expert to review your technical requirements and next steps.

For ongoing updates and guidance on Microsoft Entra ID, subscribe to the Demystifying Microsoft podcast.