Thank you for the informative guide. Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled. Additionally, SSPR is disabled (never was enabled) If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?
You will need to apply Conditional Access policy in all cases, and for the excluded users, put them in a group and exclude them from excluded users in that policy...
@@AL-Techs i do have a CA in place targetting only the required group of accounts which should have to configure & go through MFA while accessing MS365 services. So when migrating, if i enable - MS Authenticator & SMS, as examples - and set it to All users, this migration/change shouldn't really apply to "All Users", right? but only the group which is defined in CA. Is my understanding correct?
Sir, I want to ask that before the migration, I need to enable the CAP and modern authentication methods + disable verification methods in service-settings and SSPR options, but do I also need to disable the "enforced" per-user MFA as well?
There's no requirement for re-authenticating MFA. However, please ensure to implement a conditional access policy for all users before disabling per-user MFA. I trust this addresses your query
@@andrewenglish3810 As per the below link from Microsoft, you can check what is eligible for Entra ID Free learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-licensing#compare-editions-and-features
for a temporary workaround you may license at least one user with Entra ID P1 or M365 E3 for example, then you will have these features... temporary workaround...@@andrewenglish3810
Thank you so much sir . I was struggling to understand this concept .You made it so simple .Thanks so much
Thank you! The migration only took me 5 minutes!
much more clear than the MS docs...thank you!
Thank you for the informative guide.
Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled.
Additionally, SSPR is disabled (never was enabled)
If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?
You will need to apply Conditional Access policy in all cases,
and for the excluded users, put them in a group and exclude them from excluded users in that policy...
If you need any help, i will be happy to assist and for free...
@@AL-Techs i do have a CA in place targetting only the required group of accounts which should have to configure & go through MFA while accessing MS365 services.
So when migrating, if i enable - MS Authenticator & SMS, as examples - and set it to All users, this migration/change shouldn't really apply to "All Users", right?
but only the group which is defined in CA.
Is my understanding correct?
@@LV13619 you can apply to specific group too.
but it should as per the policy applied and SSPR..
thank you, its so helpfull
Great work Kalakech
welcome bro
Thanks for your presentation. It's fine. Could you answer one thing? How will automatic password reset work after migration?
You enable and disable from SSPR in entra ID, but you will use the authentication methods from security tab
@@AL-Techs wonderful. You made it simple and straight forward. I liked it very much.
Thanks
My tenant says I need a license for Multi Factor Authentication. What is the difference between that and using Microsoft Authenticator.
Microsoft Authenticator is one method of the multi factor authentications, including emails- sms- voice call- hardware token .
One more question, Could I back to "migration in progress" if anything is wrong after changed to "migration completed"?
Yes... you can
Sir, I want to ask that before the migration, I need to enable the CAP and modern authentication methods + disable verification methods in service-settings and SSPR options, but do I also need to disable the "enforced" per-user MFA as well?
yes disable per-user MFA for all users.
CAP will replace that (use a template to enable MFA for users)
thank you so much!
what about existing users who are on MFA using the app do they need to re-authenticate with Microsoft?
There's no requirement for re-authenticating MFA. However, please ensure to implement a conditional access policy for all users before disabling per-user MFA. I trust this addresses your query
If the policy is already in place and a migration occurs, there's absolutely no need for re-authentication
@@AL-Techs And what if I cannot access a CAP because I use Entra ID Free, yet MS is asking me to setup SSPR?
@@andrewenglish3810
As per the below link from Microsoft, you can check what is eligible for Entra ID Free
learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-licensing#compare-editions-and-features
for a temporary workaround you may license at least one user with Entra ID P1 or M365 E3 for example, then you will have these features... temporary workaround...@@andrewenglish3810
👍