By September 30, 2025, Microsoft will retire the legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies. If your organization is still using the legacy policies, you’ll need to switch over to the unified Microsoft Entra Authentication Methods policy.
But this isn’t just about avoiding service disruptions or checking a compliance box. It’s a chance to make authentication stronger, simplify management, and future-proof your identity security.
With some planning and the right tools, the migration can be smooth. At the same time, it’s a great opportunity to make your organization more secure and resilient.
The Highlights
Microsoft MFA & SSPR Retirement – Sept. 30, 2025
- Legacy MFA and SSPR policies end on September 30, 2025.
- All organizations need to migrate to Microsoft Entra Authentication Methods.
- Risks if you don’t migrate: login failures, service disruptions, compliance gaps.
- Old methods going away: security questions, SMS, voice calls.
- Modern methods available: passkeys (FIDO2), Microsoft Authenticator, certificate-based authentication.
Bottom line: Act now. Waiting likely means broken logins and weaker security.
What’s Changing
Historically, MFA and SSPR were managed separately in older portals. After September 30, 2025, those portals retire, and everything moves under Entra ID (formerly Azure AD). That means one centralized place to manage authentication and keep things consistent.
Specifically, key changes include:
- Legacy MFA policies will no longer be supported
- SSPR policies will be retired
- Security questions will be disabled entirely
- To reiterate: Security questions will no longer be an option at all for resetting passwords
- Out-of-band MFA methods like SMS and voice calls will be discouraged under modern security standards such as NIST
Entra Authentication Methods consolidates all authentication management into a single framework, making it easier to enforce secure, modern practices.
Why This Matters
As a result, delaying migration could cause you to run into:
- Misaligned authentication settings
- User frustration from failed logins or password resets
- Service disruptions
- Security gaps from outdated methods
- Compliance risks with NIST and other industry standards
Beyond just meeting the deadline, this is a chance to take a closer look at your overall authentication and access policies.
A Strategic Moment to Reassess Identity Security
The MFA and SSPR retirement is mandatory, but it’s also a good time to step back and ask:
- Are we enforcing strong, phishing-resistant MFA methods?
- Is our user experience consistent across apps and services?
- Do we still have legacy authentication enabled?
- Are our policies aligned with Zero Trust principles?
This is your chance to move from “just compliant” to confident, resilient, and future-ready.
Recommended Modern Authentication Methods
When you migrate, consider moving away from outdated methods and using:
- Passkeys (FIDO2)
- Microsoft Authenticator
- Certificate-Based Authentication
- Email OTP (for SSPR only, and only for guest users if no other secure method is available)
Avoid SMS, voice-based MFA, and security questions—they’re no longer recommended by NIST. And remember, security questions won’t be available at all for password resets.
Steps to Prepare for Migration
Here’s a practical roadmap to make sure things go smoothly:
- Assess current MFA and SSPR configurations in the legacy portals
- Use Microsoft’s migration tool to import policies into Entra Authentication Methods
- Test and validate new policies in a controlled group
- Communicate changes and provide guidance to users
- Retire old policies once the new setup is stable
Pro Tip: Enable passwordless authentication, enforce conditional access policies, and disable legacy protocols that could expose vulnerabilities.
For official guidance: How to migrate to the Authentication methods policy – Microsoft Entra ID | Microsoft Learn
Modernize Your Authentication with Confidence
If this feels overwhelming, don’t worry. You don’t have to tackle it alone.
Our team specializes in helping organizations like yours:
- Audit and map legacy authentication policies to understand your current setup
- Design secure, scalable Entra policies tailored to your needs
- Enable strong MFA and passwordless experiences for users
- Integrate policy changes with your broader identity and access strategies
- Ensure a smooth, disruption-free transition
Acting early reduces risk, avoids last-minute headaches, and makes sure your authentication practices are modern, secure, and compliant.
Don’t Just Meet the Deadline—Strengthen Your Security.
The September 30, 2025 retirement of legacy MFA and SSPR is coming up fast. This is more than a compliance task. It’s a chance to build a stronger identity security foundation.
Whether you’re just starting or already in motion, we’ll guide you through a seamless transition and uncover ways to improve your security along the way. Let’s turn this deadline into a security win for your organization.
Start the Conversation Today
Fill out the form below or connect with Kelsey on LinkedIn to get started.