Businessman Interacting With Holographic Interface Original 3584768
A photorealistic image of a businessman reaching toward a glowing hologram, featuring a fingerprint symbolizing cybersecurity. The scene conveys the concept of security in business and finance with a modern, tech-driven atmosphere

As the tech world focuses on the upcoming Windows 10 end of life (October 14, 2025), a critical security update from Microsoft has flown under the radar — and it could leave your organisation exposed.

Legacy MFA and SSPR policies retire on September 30, 2025

Microsoft is officially retiring its legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies in favour of a unified Authentication Methods policy within Microsoft Entra ID (formerly Azure AD). This change is part of Microsoft’s Secure Future Initiative, aimed at reducing attack surfaces and modernising identity security across its cloud ecosystem.

If your organisation still relies on per-user MFA settings or outdated SSPR configurations, you must migrate before the deadline or risk:

  • ❌ Loss of MFA enforcement
  • 🔒 Admin and user lockouts
  • ⚠️ Increased vulnerability to phishing and SIM-swapping attacks
  • 📉 Gaps in compliance and auditability

Why legacy MFA is no longer safe

Legacy MFA methods — like SMS codes and voice calls, are increasingly vulnerable to modern threats. SIM-swapping, phishing, and social engineering attacks have rendered these methods inadequate for today’s cybersecurity landscape.

The new Authentication Methods policy supports phishing-resistant options such as:

  • Microsoft Authenticator with number matching
  • FIDO2 security keys
  • Temporary Access Pass
  • Passwordless sign-ins

What you should do now

  1. Audit your current MFA setup in the Microsoft Entra admin center.
  2. Use Microsoft’s migration wizard to transition to the new Authentication Methods policy.
  3. Test with critical accounts, especially Global Admins, to avoid lockouts.
  4. Communicate changes to your team and provide training on new authentication methods.

The Windows 10 connection

While many organisations are busy planning their upgrade to Windows 11, they may not realise that legacy MFA configurations often live on older systems. The end of support for Windows 10 means no more security updates, and if your identity infrastructure is still tied to legacy MFA, you’re doubling your risk.

Don’t wait until it’s too late. Shoothill recommends reviewing your authentication policies today to ensure your organisation is protected and compliant.

Need help assessing your setup or planning your migration? Get in touch — we’re here to help.

Shoothill can help you upgrade safely

☎️ 01743 636300

📧[email protected]

🌐 To get a taste of our work visit us at www.shoothill.com

Get in touch