Migrating Legacy MFA & SSPR to Authentication Methods Policy for Microsoft Entra ID

Подписаться 359

Просмотров 6 тыс.

50% 1

You can migrate Microsoft Entra ID legacy policy settings that separately control multifactor authentication and self-service password reset (SSPR) to unified management with the Authentication methods policy.
You migrate policy settings on your own schedule, and the process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy. You complete the migration whenever you're ready to manage all authentication methods together in the Authentication methods policy.
learn.microsoft.com/en-us/azu...
If the migration didnt succeed after you disable the legacy authentication methods options,
you can try to disable " Allow users to create app passwords to sign in to non-browser apps" in MFA configuration,
and put as do not allow temporary

Наука

Опубликовано:

28 сен 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 29

@hachadwick 3 месяца назад

much more clear than the MS docs...thank you!

@saiabhilash3151 7 месяцев назад

Thank you so much sir . I was struggling to understand this concept .You made it so simple .Thanks so much

@arseni.paharelau 5 месяцев назад

Thank you! The migration only took me 5 minutes!

@sarah1989896 6 месяцев назад

thank you, its so helpfull

@rahulsaikh893 День назад

Thanks

@TheCyberSnacks 8 месяцев назад

Great work Kalakech

@AL-Techs 8 месяцев назад

welcome bro

@hayenchinguyen3367 6 месяцев назад

Sir, I want to ask that before the migration, I need to enable the CAP and modern authentication methods + disable verification methods in service-settings and SSPR options, but do I also need to disable the "enforced" per-user MFA as well?

@AL-Techs 6 месяцев назад

yes disable per-user MFA for all users. CAP will replace that (use a template to enable MFA for users)

@hayenchinguyen3367 6 месяцев назад

thank you so much!

@LV13619 Месяц назад

Thank you for the informative guide. Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled. Additionally, SSPR is disabled (never was enabled) If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?

@AL-Techs Месяц назад

You will need to apply Conditional Access policy in all cases, and for the excluded users, put them in a group and exclude them from excluded users in that policy...

@AL-Techs Месяц назад

If you need any help, i will be happy to assist and for free...

@LV13619 Месяц назад

@@AL-Techs i do have a CA in place targetting only the required group of accounts which should have to configure & go through MFA while accessing MS365 services. So when migrating, if i enable - MS Authenticator & SMS, as examples - and set it to All users, this migration/change shouldn't really apply to "All Users", right? but only the group which is defined in CA. Is my understanding correct?

@AL-Techs Месяц назад

@@LV13619 you can apply to specific group too. but it should as per the policy applied and SSPR..

@reginaldomoreno9898 6 месяцев назад

Thanks for your presentation. It's fine. Could you answer one thing? How will automatic password reset work after migration?

@AL-Techs 6 месяцев назад

You enable and disable from SSPR in entra ID, but you will use the authentication methods from security tab

@prasadhande849 Месяц назад

@@AL-Techs wonderful. You made it simple and straight forward. I liked it very much.

@reginaldomoreno9898 2 месяца назад

One more question, Could I back to "migration in progress" if anything is wrong after changed to "migration completed"?

@AL-Techs 2 месяца назад

Yes... you can

@gregchin6456 3 месяца назад

My tenant says I need a license for Multi Factor Authentication. What is the difference between that and using Microsoft Authenticator.

@AL-Techs 3 месяца назад

Microsoft Authenticator is one method of the multi factor authentications, including emails- sms- voice call- hardware token .

@onsiteservice3370 6 месяцев назад

👍

@andrewenglish3810 4 месяца назад

what about existing users who are on MFA using the app do they need to re-authenticate with Microsoft?

@AL-Techs 4 месяца назад

There's no requirement for re-authenticating MFA. However, please ensure to implement a conditional access policy for all users before disabling per-user MFA. I trust this addresses your query

@AL-Techs 4 месяца назад

If the policy is already in place and a migration occurs, there's absolutely no need for re-authentication

@andrewenglish3810 4 месяца назад

@@AL-Techs And what if I cannot access a CAP because I use Entra ID Free, yet MS is asking me to setup SSPR?

@AL-Techs 4 месяца назад

@@andrewenglish3810 As per the below link from Microsoft, you can check what is eligible for Entra ID Free learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-licensing#compare-editions-and-features

@AL-Techs 4 месяца назад

for a temporary workaround you may license at least one user with Entra ID P1 or M365 E3 for example, then you will have these features... temporary workaround...@@andrewenglish3810