Great video, can i ask is it posible to have combined mfa enabled at first user login but only need 1 method to sspr when user want to reset password, i really don't want to make more complicate for user
Very well done, thank you. The only part that I get confused on is the self service password reset correlation with the authentication methods. Whate if you don't have or want the self service password policy enabled but you still want to migrate to the new authentication platform. I am assuming it's the same exact thing, but am I missing something here?
That’s correct! You can enable authentication methods and not the SSPR policy. Previously you could define seperate authentication methods for MFA and SSPR. But now one authentication method is applied to both MFA and SSPR (if enabled).
ok, in new auth methods setup I only set who can use which auth methods. so far it looks clear Q: with depreciation of legacy mfa (once migration is set to "done") does it also mean that I'll loose ability to manually force mfa only for selected users and that I'll be left only with two other options - to use conditional access (with proper license bought) or security defaults? Q: if i enable security defaults after migration, will it respect new settings for avail mfa and allow users to use more methods like FIDO when enabled? thanks for video
Thank you for the informative guide. Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled. Additionally, SSPR is disabled (never was enabled) If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?
Two enable MFA, you will need to create CA policies unless your organisation is using security defaults (which I don’t think is the case). What you will be doing here is changing the authentication methods (legacy to modern). If you don’t create CA policies then users won’t be prompted for MFA. But as I mentioned in the tutorial, you can always apply new authentication methods to selected users for testing and then do the roll out. Hope it helps!
@@TechByTosh i do have a CA in place targetting only the required group of accounts which should have to configure & go through MFA while accessing MS365 services. So when migrating, if i enable - MS Authenticator & SMS, as examples - and set it to All users, this migration/change shouldn't really apply to "All Users", right? but only the group which is defined in CA. Is my understanding correct?
So I shouldn't configure Microsoft authenticator app Enabled to all?, it should be configured only for few groups right? be cause If I enable to all and service accounts might also get included and that process might impact on premise synchronization.
Ok so first of all applying authentication methods is different to conditional access policies. You can assign authentication methods to all users but who should be prompted for MFA is configured within conditional access policies and you can exclude your services account within the CA policy. Hope it helps!
As far as i understand, with your example you basically locked out everybody in the company (i.e admins) having the chris account beeing the only that could use mfa for login, correct ?
Tried with some users today (created a MFA croup), in our organization MFA is enforced to all except some Service accounts. as soon i tested myself I'm getting option to enter SMS code, where in legacy i used to get code in Microsoft Authenticator App. As of now i reverted the settings. As per your example (Chris Green) MFA was not enabled.
Please make sure you first you enable MFA (Authenticator app) and add yourself. Test MFA. You can also check what authentication methods you have added for your account from my apps or from your user account in Entra id.
@@TechByTosh one more question, If I create a MFA group and move some users to the group and finish migration (Migration Complete option). How the system treats the users which are outside the MFA group, what authentication does it follow "Legacy or the migrated one"?
Thank you for the informative guide. Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled. Additionally, SSPR is disabled (never was enabled) If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?
Got it finally! Great presentation.
Glad it was useful
Thank you. Good introduction to this migration.
Thank you!
Thank you for your detailed video. The best.
Thank you!
Great video, can i ask is it posible to have combined mfa enabled at first user login but only need 1 method to sspr when user want to reset password, i really don't want to make more complicate for user
Very well done, thank you. The only part that I get confused on is the self service password reset correlation with the authentication methods. Whate if you don't have or want the self service password policy enabled but you still want to migrate to the new authentication platform. I am assuming it's the same exact thing, but am I missing something here?
That’s correct! You can enable authentication methods and not the SSPR policy. Previously you could define seperate authentication methods for MFA and SSPR. But now one authentication method is applied to both MFA and SSPR (if enabled).
@@TechByTosh Thank you, much appreciated.
very well explained
Thank you!
ok, in new auth methods setup I only set who can use which auth methods. so far it looks clear
Q: with depreciation of legacy mfa (once migration is set to "done") does it also mean that I'll loose ability to manually force mfa only for selected users and that I'll be left only with two other options - to use conditional access (with proper license bought) or security defaults?
Q: if i enable security defaults after migration, will it respect new settings for avail mfa and allow users to use more methods like FIDO when enabled?
thanks for video
Q1. Yes, but you can use CA or security defaults
Q2. Yes, you are only changing authentication methods
Thank you for the informative guide.
Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled.
Additionally, SSPR is disabled (never was enabled)
If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?
Two enable MFA, you will need to create CA policies unless your organisation is using security defaults (which I don’t think is the case).
What you will be doing here is changing the authentication methods (legacy to modern).
If you don’t create CA policies then users won’t be prompted for MFA. But as I mentioned in the tutorial, you can always apply new authentication methods to selected users for testing and then do the roll out.
Hope it helps!
@@TechByTosh i do have a CA in place targetting only the required group of accounts which should have to configure & go through MFA while accessing MS365 services.
So when migrating, if i enable - MS Authenticator & SMS, as examples - and set it to All users, this migration/change shouldn't really apply to "All Users", right?
but only the group which is defined in CA.
Is my understanding correct?
Yes correct! You are only changing the authentication methods not enforcing MFA.
@@TechByTosh Thank you so much for this clarity
Should I not be setting the Email OTP to the a group instead of all users?
It depends how you configure the authentication method. You can create a specific group of users to apply the policy.
one question - for the legacy authentication, Can i still use the App Password for the user's SMTP?
If the legacy authentication is disabled, you will need to switch to using modern authentication methods
So I shouldn't configure Microsoft authenticator app Enabled to all?, it should be configured only for few groups right? be cause If I enable to all and service accounts might also get included and that process might impact on premise synchronization.
what do u say on this?
Ok so first of all applying authentication methods is different to conditional access policies. You can assign authentication methods to all users but who should be prompted for MFA is configured within conditional access policies and you can exclude your services account within the CA policy. Hope it helps!
Just replied to your previous message.
As far as i understand, with your example you basically locked out everybody in the company (i.e admins) having the chris account beeing the only that could use mfa for login, correct ?
No - only Chris account has new MFA enabled. All other users are still using legacy MFA until you select complete migration
20:50 didnt you complete the migration there ?
No, its Migration in Process, completion is the next radio button, which says Migration Complete
Tried with some users today (created a MFA croup), in our organization MFA is enforced to all except some Service accounts. as soon i tested myself I'm getting option to enter SMS code, where in legacy i used to get code in Microsoft Authenticator App. As of now i reverted the settings. As per your example (Chris Green) MFA was not enabled.
Please make sure you first you enable MFA (Authenticator app) and add yourself. Test MFA.
You can also check what authentication methods you have added for your account from my apps or from your user account in Entra id.
@@TechByTosh one more question, If I create a MFA group and move some users to the group and finish migration (Migration Complete option). How the system treats the users which are outside the MFA group, what authentication does it follow "Legacy or the migrated one"?
Once you select Migration Complete option, legacy authentication will not be used.
Thank you for the informative guide.
Currently, in my organization, MFA is enabled only for specific privileged accounts, while the vast majority do not have it enabled.
Additionally, SSPR is disabled (never was enabled)
If I do this migration from legacy MFA to the Authentication Methods policy, will it impact users who do not currently have MFA enabled? Moreover, will this migration mandate/enforce MFA for users who currently do not use it?
Replied to your other comment.