Detections
Analytics

Authentication Methods Migration Not Complete

MEDIUM

Language:

Description

Previously, authentication settings in Microsoft Entra ID were split between separate policies for multifactor authentication (MFA) and self-service password reset (SSPR). This fragmented approach made it challenging to manage authentication methods consistently, increased administrative complexity, and introduced potential security risks due to policy misalignment.

Indeed, those legacy policies do not synchronize settings, meaning that an authentication method could be enabled in one policy but disabled in another (the system starts by checking the MFA policy, then the SSPR policy). This lack of synchronization can lead to scenarios where users are unintentionally granted access through outdated or less secure methods.

On top of that, unlike the "Authentication methods" policy, legacy policies lack support for group-based targeting and the latest secure authentication options like Temporary Access Pass and FIDO2 security keys. This limits the ability to apply different methods to specific user groups and delays adoption of secure, passwordless authentication, leaving organizations more exposed to phishing and credential theft.

Solution

To ensure consistent and secure management of authentication methods, Microsoft recommends migrating all legacy MFA and SSPR settings to the Authentication methods policy to support more granular controls, modern authentication options, and centralized settings. You can migrate using an automated wizard in the Microsoft Entra admin center or manually for customized migration workflows.

The migration process audits current settings, maps legacy methods to updated equivalents, configures group-based access, and updates method parameters for sign-in and password reset. After migration, validate the new configuration and disable corresponding methods in legacy policies. This eliminates ambiguity and prevents unintended access through outdated policies.

Indicator Details

Name: Authentication Methods Migration Not Complete

Codename: AUTHENTICATION-METHODS-MIGRATION-NOT-COMPLETE

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure

MITRE ATT&CK Information: