In this blogpost we're going to talk about the deprecation of SSPR and legacy MFA authentication policies.

1. What will stop working?

Beginning September 30, 2025, Microsoft will stop the support for managing legacy MFA and SSPR authentication methods. You will need to migrate this to the modern authentication methods portal and start using CA policies to manage your MFA and SSPR authentication methods correctly. Don't lock yourself out (from October) and start migrating!

2. What are you using?

To see what you are currently using/have configured you can follow these steps:

• Go to the Entra admin center (entra.microsoft.com)

• Browse to Entra ID -> Users -> Select Per User MFA

Next select "Service Settings"

From the service settings menu you can see which authentication methods you have configurered for your users. Changing these settings will no longer be available on the 1st of October.

2.1 SSPR Authentication methods

Now that we've checked our MFA authentication methods we also want to see if we have set up any methods regarding the Self Service Password Reset (SSPR). 

Follow these simple steps to check which methods are configured and also need to be migrated:

• Go to the Entra admin center (entra.microsoft.com)

• Browse to Entra ID -> Password reset

From the Password reset menu go to "Authentication methods". From here you can see which authentication methods you have configurered for your users regarding SSPR. Changing these settings will no longer be available on the 1st of October.

3. Where do we need to go?

The "new" "Authentication methods" is also in the Entra portal. 

• Go to the Entra admin center (entra.microsoft.com)

• Browse to Entra ID -> Authentication methods

From here you can see all the authentication methods that are configured. Until now Microsoft looked at both of the situations (legacy vs "new")

For example, if you had configured Voice call in the legacy authentication methods and disabled this in the "new" methods you were still be able to authenticate via voice call. From October 1st you aren't able to do this anymore and Microsoft will only look at the "new" authentication methods page! For example:

Above the "new" authentication methods policy. "No" means it is disabled.

Above the old authentication methods.

4. What type of authentication method(s) are my users using?

Follow these steps to see what type of authentication methods your users are using/have registered:

• Go to the Entra admin center (entra.microsoft.com)

• Browse to Entra ID -> Authentication methods and select "User registration details"

From this page you can see what type of methods are registered and what type of authentication methods they are using as default.

5. Automated Guide

From the "new" authentication methods page you can select "Begin automated guide". With this option Microsoft will guide you through the process of migrating old to new. 

With this guide you will be able to configure secure and less secure options regarding your MFA and SSPR. For example you could (I would not recommend this) configure "Voice call" regarding my example above. 

6. FAQ

6.1 What can I (user) do if I have configured voice call? What will my users see if I turn off voice call and the default authentication method for this user is voice call?

If you disable Voice call your user will get a prompt to enable and configure Microsoft Authenticator.

6.2 Will all settings be greyed out regarding the "old" MFA menu/Service Settings menu?

No, all the other settings will still be there. For example settings per user MFA or setting the option for App Passwords or Trusted IPs. The only configurable settings that will be greyed out are the authentication methods options.