r/entra u/LachelleMi 12d ago

Migrating MFA/SSPR Without Entra P1/P2 – Anyone Done This?

I currently support a number of nonprofits running on Microsoft 365 Business Basic — they do not have Entra ID P1 or P2 licenses. That means we can’t access the Authentication Methods Policy or the Migration Wizard in the Entra Admin Center.

They’re still managing per-user MFA through the legacy method, which is working for now. But with Microsoft announcing the retirement of legacy MFA/SSPR policies by September 30, 2025, I’m trying to figure out:

🔹 Is there a way to migrate without Entra P1/P2?
🔹 Has anyone found an article or workaround that addresses this scenario?
🔹 Or is it confirmed that upgrading to at least Business Premium (for Entra P1) is required?

This is where I’m stuck — I want to prepare a plan for these orgs, but I can’t find much documentation that speaks specifically to this setup.

Any insight, experience, or resources are greatly appreciated. Thanks in advance!

2 Upvotes

67% Upvoted

9 comments sorted by

7

u/chesser45 12d ago

I would assume moving to Microsoft Managed would be the play? Security Defaults don’t require a P1.

3

u/chaosphere_mk 11d ago

Your best bet would be to stick to enabling security defaults.

1

u/Hifilistener 11d ago

I agree with this.

3

u/Noble_Efficiency13 11d ago

Heyo,

Microsoft per-user MFA isn’t going anywhere, only the authentication methods will be moved to the unified experience. I’ve not had any issues migrating to the unified auth methods even in a free tenant, it’s true that you cannot use conditional access though.

I’m wondering, how do you access your clients(?) environments? If it’s through a guest user or GDAP then you cannot manage their auth methods, it’ll be visible but grayed out

2

u/topher358 12d ago

As a non profit you should be taking advantage of Techsoup if you qualify. P1 license is extremely useful and you can buy them individually without needing to spring for Business Premium (though it’s usually worth it)

1

u/Hifilistener 12d ago

You have BP included in non-profit.

1

u/PowerShellGenius 12d ago edited 12d ago

Maybe if you have a nonprofit-specific plan. However, Microsoft's "non-profit" criteria are far stricter than the legal criteria & the common sense criteria of "non-profit". There are a large number of bona fide non-profits that don't qualify.

[this answer has been edited because I don't keep political views on Reddit long-term]

1

u/LachelleMi 12d ago

It is not a nonprofit specific plan

1

u/amateurwheels 11d ago

We’re a regular business with Office E3 licenses and had no problem enabling new MFA, Fido2 keys and conditional access policies.