Migrate MFA & SSPR
Why migrate MFA and SSPR
Microsoft has announced the depreciation of historical portals. All DSIs have until January 2024 to proceed with the migration. We will see in this post how to operate this migration step by step.
The migration can be done respecting its own schedule with a deadline of January 2024. Please note that the process is fully reversible. The tenant-wide MFA & SSPR policies can continue to be used during the migration. A user group is used to target the users who should use the new policies
Audit the older policies
This audit is not mandatory but i’ts recommended. This operation permit to list all of the configured settings.
The MFA settings
From the Entra Portal, expand Users, click on All users then click on Per-user MFA.
Click on Service settings in the portal and list the settings.
The SSPR settings
From the Entra Portal, expand Users, click on All users then click on Password reset.
Click on Authentification methods then list the settings in the SSPR.
Start the migration
The migration can be started. From the Entra Portal, expand Protect & secure, click on Authentification methods then click on Policies. Click on Manage migration to start the migration.
By default, Pre-migration option is selected. Check Migration in Progress then click on Save.
Email one-time passcode
Click on Email OTP, the configuration of the authentification method appear. With the Enable and Target control, we can select user group or all users in the tenant. The user group permit to select only few users during the migration and test step.
Click on Configure, we can allow email OTP for external users. It’s possible to enabled or disabled the settings. Click on Save to validate the modification.
Microsoft Authenticator
Click on Microsoft Authenticator to modify the settings of this authentification methods.
Select user groups. For each groups, we can select authentification mode.
Click on Configure then click on Yes to enable Allow use of Microsoft Authenticator OTP. The following option can now be configured.
- Require number matching for push notifications : This option can be configured for using number matching. When a user attempts to log into Office 365, a number appears on the web portal. The user must enter this number in the Authenticator application
- Application name in push and passwordless notifications : The name of the application appears in the notification that appears on the mobile device. This allows the user to check the name of the application that requires dual authentication
- Geographic location in push and passwordless notifications : The name of the application appears in the notification that appears on the mobile device. The location of the request appears in the notification. This allows the user to ensure that the notification does not come from a different location than their own.
- Microsoft Authenticator on companion applications : Authenticator Lite has been integrated into Outlook for iOS and Android. This integration allows users to perform multi-factor authentication using single-use number or code matching without leaving Outlook. This allows organizations to deploy and manage multifactor authentication more easily.
Configure the settings and click on Save.
The SSPR settings
The SSPR settings can be validated. For now it’s not modify. From the Entra portal, click on Protect and secure then on Password reset. Select Authentification methods and verify the settings. For the moment no changes have been made.
Test the MFA
We can now test the MFA.On my Iphone i try to connect on my Office 365 portal. I enter my username into the Office365 portal.
The number appear and I need to enter the same account on Authenticator APP (number matching).
Open the Authenticator App, a new notification appear. The user can see the application name and the location. He must enter the number for validate the MFA.
Finish the migration
Before finish the migration, the old authentification method must be deleted. From the Entra portal, expand Protect & Secure then click on Password reset. Click on Authentification methods then uncheck all method. Check Security questions then configure the number of question to register and the number of question required to reset. Select the questions then click on Save.
From the multi-factor authentification select service settings then uncheck all options. Click on Save to backup the modification.
From the Entra Portal, expand Protect & secure, click on Authentification methods then click on Policies. Click on Manage migration to start the migration.
Check Migration complete then click on Save.
The migration is now complete