Migrate MFA & SSPR

Migrate MFA & SSPR

Migrate MFA & SSPR

Why migrate MFA and SSPR

Microsoft has announced the depreciation of historical portals. All DSIs have until January 2024 to proceed with the migration. We will see in this post how to operate this migration step by step.

The migration can be done respecting its own schedule with a deadline of January 2024. Please note that the process is fully reversible. The tenant-wide MFA & SSPR policies can continue to be used during the migration. A user group is used to target the users who should use the new policies

Audit the older policies

This audit is not mandatory but i’ts recommended. This operation permit to list all of the configured settings.

The MFA settings

From the Entra Portal, expand Users, click on All users then click on Per-user MFA.

Click on MFA to list the settings

Click on Service settings in the portal and list the settings.

Click in the service settings
List the settings for the MFA

The SSPR settings

From the Entra Portal, expand Users, click on All users then click on Password reset.

Select password reset

Click on Authentification methods then list the settings in the SSPR.

list the settings in SSPR

Start the migration

The migration can be started. From the Entra Portal, expand Protect & secure, click on Authentification methods then click on Policies. Click on Manage migration to start the migration.

Start the migration for the new sspr policies

By default, Pre-migration option is selected. Check Migration in Progress then click on Save.

Check Migration in progress

Email one-time passcode

Click on Email OTP, the configuration of the authentification method appear. With the Enable and Target control, we can select user group or all users in the tenant. The user group permit to select only few users during the migration and test step.

Group is selected

Click on Configure, we can allow email OTP for external users. It’s possible to enabled or disabled the settings. Click on Save to validate the modification.

enable email OTP for external users

Microsoft Authenticator

Click on Microsoft Authenticator to modify the settings of this authentification methods.

Configure Microsoft Authenticator methods

Select user groups. For each groups, we can select authentification mode.

Select authentification mode and user groups

Click on Configure then click on Yes to enable Allow use of Microsoft Authenticator OTP. The following option can now be configured.

  • Require number matching for push notifications : This option can be configured for using number matching. When a user attempts to log into Office 365, a number appears on the web portal. The user must enter this number in the Authenticator application
  • Application name in push and passwordless notifications : The name of the application appears in the notification that appears on the mobile device. This allows the user to check the name of the application that requires dual authentication
  • Geographic location in push and passwordless notifications : The name of the application appears in the notification that appears on the mobile device. The location of the request appears in the notification. This allows the user to ensure that the notification does not come from a different location than their own.
  • Microsoft Authenticator on companion applications : Authenticator Lite has been integrated into Outlook for iOS and Android. This integration allows users to perform multi-factor authentication using single-use number or code matching without leaving Outlook. This allows organizations to deploy and manage multifactor authentication more easily.

Configure the settings and click on Save.

Configure Microsoft Authenticator settings

The SSPR settings

The SSPR settings can be validated. For now it’s not modify. From the Entra portal, click on Protect and secure then on Password reset. Select Authentification methods and verify the settings. For the moment no changes have been made.

The SSPR settings

Test the MFA

We can now test the MFA.On my Iphone i try to connect on my Office 365 portal. I enter my username into the Office365 portal.

Connect to the o365 portal

The number appear and I need to enter the same account on Authenticator APP (number matching).

Number matching

Open the Authenticator App, a new notification appear. The user can see the application name and the location. He must enter the number for validate the MFA.

Finish the migration

Before finish the migration, the old authentification method must be deleted. From the Entra portal, expand Protect & Secure then click on Password reset. Click on Authentification methods then uncheck all method. Check Security questions then configure the number of question to register and the number of question required to reset. Select the questions then click on Save.

Select the question for reset the password.

From the multi-factor authentification select service settings then uncheck all options. Click on Save to backup the modification.

uncheck all method

From the Entra Portal, expand Protect & secure, click on Authentification methods then click on Policies. Click on Manage migration to start the migration.

Start the migration for the new sspr policies

Check Migration complete then click on Save.

Migration complete from azure ad

The migration is now complete

Migration is now complete

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.