Summary

Microsoft’s Multi-Factor Authentication (MFA) plays a critical role in safeguarding organizational data by ensuring that access is granted only to authorized users through additional layers of verification. In 2023, Microsoft announced the retirement of legacy MFA and Self-Service Password Reset (SSPR) policies by September 2025. Microsoft requires users to migrate to the Authentication Methods policy in Microsoft Entra ID (formerly Azure Active Directory), which allows administrators to manage authentication methods for sign-ins and password resets. This policy works in conjunction with Conditional Access policies to enforce specific Microsoft MFA requirements. To fully transition to a unified authentication methods policy and use Conditional Access policies to enforce Microsoft’s MFA, administrators must migrate classic Conditional Access policies to the new structure.

Incomplete Migrations to Conditional Access Policies

While Microsoft’s documentation provides guidance for the migration process, certain steps necessary for complete migration are not immediately apparent. Much of the provided guidance could benefit from clearer emphasis, like the need to manually activate the migration process.  Further, administrators can currently create new Conditional Access policies without completing the migration, and the system will not apply these policies unless the administrator fully completes the migration. Administrators can also mark migration as complete without verifying full execution, leaving new policies unapplied.

Legacy Microsoft MFA Settings

If administrators execute migration successfully, they still face certain implementation challenges. Legacy MFA and SSPR settings can override the new Authentication Methods policies if they were not disabled prior to migration. Although the interface shows the new policies as applied, the old settings remain active. Since the new policies appear to be in effect, this issue can be difficult to detect. If administrators realize the problem and attempt to disable the legacy settings, they may be unable to do so after migration, as those settings are inaccessible in the updated system. To resolve the issue, administrators must roll back the migration, disable the legacy settings, and then re-deploy the migration.

Risk Evaluation

These issues increase the risk of security compromise for organizations using Microsoft 365. Even though Microsoft 365 systems may appear to be protected with the intended MFA and Conditional Access settings, legacy configurations stay active. This can leave accounts unprotected by intended MFA and vulnerable to exploitation, as threat actors may bypass security measures that appear to be in place but are not fully operational.

Critical Impact

Over the past several months, Anchor Technologies, Inc. has observed a rise in security breaches and requests to investigate. In each case, investigations traced the root cause to legacy MFA configurations overriding new Conditional Access policies in Microsoft Entra ID.