CISA.MS.AAD.3.4 - The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.
Overviewβ
The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.
Rationale: To disable the legacy authentication methods screen for the tenant, configure the Manage Migration feature to Migration Complete. The MFA and Self-Service Password Reset (SSPR) authentication methods are both managed from a central admin page, thereby reducing administrative complexity and potential security misconfigurations.
Remediation action:β
If phishing-resistant MFA has not been enforced for all users yet, create a conditional access policy that enforces MFA but does not dictate MFA method. Configure the following policy settings in the new conditional access policy, per the values below:
- Go through the process of migrating from the legacy Azure AD MFA and Self-Service Password Reset (SSPR) administration pages to the new unified Authentication Methods policy page.
- Once ready to finish the migration, set the Manage Migration option to Migration Complete.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.4 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaMethodsMigration |
| Tags | CISA, CISA.MS.AAD.3.4, Entra ID P1, MS.AAD, MS.AAD.3.4 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaMethodsMigration.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaMethodsMigration.ps1