On September 30th Microsoft will only support a new unified multi-factor authentication control configuration. What does this mean for your nonprofit?

In March 2023 Microsoft announced that after September 30th, 2025, they would no longer automatically support “legacy” multi-factor authentication controls in the Microsoft 365 Entra ID and General Admin administration portals. The methods your staff are using now will not automatically roll over to be allowed via the new admin dashboard after that date. Steve Longenecker, Community IT’s Director of IT Consulting, explains to Carolyn the implications for nonprofits of this change and the Microsoft unified security administration deadline.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleSpotifyGoogleStitcher, Pandora, and more. Or ask your smart speaker.

The takeaways:

NOTE: The timelines on Microsoft changes do sometimes shift, and we are working to keep you updated. Please check for the most recent blog or podcast from us to ensure you have the most recent update.

Microsoft Unified Security Administration Deadline Approaching

Steve Longenecker on how to tackle the upcoming update to Microsoft’s methods of managing MFA at your nonprofit.

Check back for our latest updates on the podcast and blog to understand any changes to Microsoft’s policies for unified security administration deadlines.

Presenters

Portrait of Steve Longenecker posing against a neutral background


As Director of IT Consulting, Steve Longenecker divides his time at Community IT primarily between managing the company’s Projects Team and consulting with clients on IT planning. Steve brings a deep background in IT support and strategic IT management experience to his work with clients. His thoughtful and empathetic demeanor helps non-technical nonprofit leaders manage their IT projects and understand the Community IT partnership approach.

Steve also specializes in Information Architecture and migrations, implementations, file-sharing platforms, collaboration tools, and Google Workspace support. His knowledge of nonprofit budgeting and management styles make him an invaluable partner in technology projects.

Steve is MCSE and Microsoft 365 Fundamentals MS 900 certified and is a certified Professional Google Workspace Administrator. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.

Carolyn Woodard


Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.

She was happy to have this podcast conversation with Steve about the Microsoft unified security administration deadline approaching.



Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about productivity, change management, and implementation of new technology, you shouldn’t also have to worry about understanding your provider. You want a partner who understands nonprofits.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

More on our Managed Services here. More resources on Microsoft tools used by nonprofits here.

If you’re ready to gain peace of mind about your IT support, let’s talk.

Transcript

Carolyn Woodard:  Welcome everyone to the Community IT Innovators Technology Topics Podcast. I’m Carolyn Woodard, your host.

Steve Longenecker: My name is Steve Longenecker. I’m the Director of IT Consulting at Community IT. So yes, Microsoft announced this a long time ago – March 2023, “we announced the deprecation of managing authentication methods in the legacy multi-factor authentication and self-service password reset policies.” 

They’ve been promising this for a while, but basically, there is now a page in the Entra ID administration portal, which is, you go to the main administration portal, and you click on a link, and it leads to the Entra ID administration portal. There’s a page there called Authentication Methods, and that’s the new page. That’s where they want your authentication methods to be managed. They’re promising that that will be the only place that authentication methods are managed after September 30th.

Carolyn Woodard: So, this is for the administrators to manage authentication on the back end. So, if you’re a user-

Steve Longenecker: There’s nothing for users to do with this at all. Users have no, there’s no foothold for them on this. This is all an administration question, an IT department question. Thank you for clarifying that. 

Do You Need to Update Authentication Methods for Users?

If you have set up Microsoft 365 in the last maybe year or two, brand new, there was no tenet and then you created one, you’re probably already in the new system. They’ve been trying to get customers on it. It’s more the old legacy systems that are the challenge for Microsoft and for Microsoft’s customers. If you are a Community IT client that had a multi-factor authentication project done in the last 18 months, you’re in the new system because we would have gone ahead and set that all up as part of that. 

But if you’ve been using Microsoft 365 for a long time and you’ve been managing MFA, you set up MFA and managed it, you know, three years ago, four years ago and haven’t paid any attention to it since, this will impact you.

Assuming that Microsoft follows through and actually pulls the trigger on September 30th with what they’re saying they’re going to do. I don’t, I’m not sure. I feel like it’s 50-50 that they’ll delay at the last minute, that they’ll make an announcement sometime in August to say … our customers have expressed a need for additional time to plan for this change, so we are extending the deadline. This will now go into effect, you know, April 30th, 2026, or something like that. Like that’s, that’s not an unusual way for these things to go, because it’s a big change.

Carolyn Woodard: But either way, you probably want to get going on this. Well, you should get going on it Because they are going to have to put everybody on this one.

Steve Longenecker: And it’s, and 50-50 is not 100. So, you should be planning on it until you hear otherwise, you should be planning on this happening on September 30th. 

So, if you set it up a long time ago, and it’s all in the legacy settings, those legacy settings are still there and will be there until September 30th. And they might even be there afterwards, but they won’t be-

Carolyn Woodard: With a sign that says you have to go to the other page.

Steve Longenecker: This is just vestigial at this point. 

What Authentication Methods Can Be Used?

And you might have set up, in the old days, you might have said, well, all right, what are the methods that I can choose from? 

I could allow my users to use SMS, which is a text message to their phone number, that would be one way to do MFA, multi-factor authentication. You need a second method, you know, password, username, password, and then some sort of challenge. So maybe an SMS comes to my phone, or maybe in the really old days, we would have what’s called one-time passcode or OTP, or an eight-digit code. Banks still do this. Banks are so far behind, it’s terrible. 

You put your username and password in and then your personal email address is sent an eight-digit code, your Gmail address, your Hotmail address, whatever, your AOL address, and you go collect that, copy it, and then paste it into the authentication, and then you’re in. This is really considered not very good security to use those kinds of methods, like text message to a phone number. There are reasons that that’s not considered great security. It is a highly corruptible method. It’s not a vector that we see actually used much, so it doesn’t scare me that much, but it is in theory…

Carolyn Woodard: It’s not as safe.

Steve Longenecker: In theory, it could be exploited. And the e-mail, for sure. I just feel like people’s e-mail addresses are not nearly as secured as they should be, right? Because how many… I get these e-mails from people that I’m vaguely associated with, that say, I’m in a jam, send me gift cards. And I’m like, oh, this person just got there.”

Carolyn Woodard: I read anyone who has a Yahoo account still, those are up on the dark web everywhere. They’ve been hacked so many times.

Steve Longenecker: Right. Exactly. 

So, we definitely don’t like the idea of our clients using e-mails to personal accounts as a way to get in. These days, we’re telling everybody, in the best situation, if you want to be most secure, and certainly, if you’re an IT person or a finance person, executive director, then you should be using what’s called phishing-resistant MFA methods. Those could be like little USB keys with the button on them that you plug into your computer. That’s what Community IT has for its password database or Windows 11 Hello, or I would just say Windows Hello for Business, which is typically on Windows 11, is considered to be phishing-resistant, where you use a PIN code.

Carolyn Woodard: What are passkeys? 

Steve Longenecker: Passkeys are another area, and that’s where I believe, I’m a little bit out of my field on this, but I believe it’s like using some sort of like certificate relationship, you know, with something like a biometric plus a picture or something. 

So anyway, what this new authentication methods page in the Entry ID Admin portal starts out with is basically, it’s like nothing’s enabled except for one, except for that email one time passcode is enabled, which, in our opinion, is not even a secure method – and otherwise nothing is enabled. 

In the worst-case scenario, your users are mostly using SMS as their multi-factor authentication. You do nothing on September 30th and suddenly SMS is no longer available because it’s not enabled on the new page by your IT department’s administrator. 

Microsoft has followed through on their promise and they’re ignoring the legacy configurations and they’re only using this new page. And now the only thing that works is the one-time passcode to the personal email address, which might be out of date, might never have been set up. It depends on the situation.

Carolyn Woodard: And then you’re saying that it’s not going to roll over. So, the systems for MFA that you allow now, after that date in September will not automatically be allowed in the new system.

Steve Longenecker: Yes, that is what Microsoft chose not to do. I feel like Microsoft could have chosen to do that, but they have not chosen to do that so far. Either that’s technically challenging to do that, or they’re not that excited about their customers using SMS.

Change Managing New Authentication Options for Users

So, this is an opportunity to push everybody to not use those methods, right? Potentially, although it is possible to enable it in the new page. We don’t recommend enabling it in the new page, but it is possible to.

I think some of Community IT’s clients will fall into this boat, where they really feel like they can’t deal with the change management of doing anything more than basically going ahead and manually turning on the methods that they’ve already allowed in the legacy, in the modern or new or unified. And then when it gets switched by Microsoft, nothing, the users won’t experience any change. 

Password Resetting

The other wrinkle on this is that in the current or in the legacy systems, the methods and rules for authenticating, logging in, are different from the methods and rules for resetting your password. 

Microsoft for a while has had what’s called Self Service Password Reset or SSPR, where when you go to log in, there’s a little link at the bottom that says, I forgot my password or something like that. And you can click on that. And then in the legacy system, there are a variety of ways that can be configured.

You could have registered a personal phone number and a personal email address, and the administrator could say, those are the two ways that will let you reset your password, but you have to do both because we don’t trust either one that much. If both are successfully cleared, we can trust you that you’re the person you say you are and you are welcome to reset your password. 

Now that’s all out the window. Those legacy methods are also going to be replaced by this new unified thing. So that particular page even has security questions. It’s one of the ways to reset your password.

That’s another thing banks do, right? Ahead of time, you put in the answers to these security questions and then you answer the questions to do what you need to do. I don’t believe security questions are available in the new one because they’re considered so unreliable.

Planning for the New Unified Authentication Administration Portal

So long story short, this is something that, if I were in charge of an organization’s IT department or had some responsibility for it or just want to make sure my IT department’s attending this, I’d make sure that there’s a plan for this. 

The ideal plan of action is to go to this new page and enable just the secure, the best practice authentication methods, which I started to list those.

There was FIDO2 keys, Windows 11 for Business, which is not listed but is included in that same mechanism of the FIDO2. Windows Hello.

Authenticator Apps like Microsoft and Google

Generally we would say at this point, even though it’s not phish-resistant, for regular users that don’t have financial system control or IT system controls, probably just the Authenticator app is enough. That’s a separate thing that you enable, and then that would allow users to set up the Authenticator app on their phone, and then basically when they get prompted to type in a phone number, a number, a two-digit number, 64 or 72 or whatever, and then hit confirm, and then they’re allowed in. 

The Authenticator method is not phishing resistant. You can be tricked into letting someone into your account with that method if someone sends you a bad link to something, and you think you’re logging in to Microsoft, and you are actually logging in to Microsoft, but you’re logging in to Microsoft through the bad people.

Carolyn Woodard: That’s the attacker in the middle (AitM).

Steve Longenecker: There’s an attacker in the middle. You got it. Yeah, you’ve heard me give that spiel before.

For regular staff, we feel like if you’re giving them trainings about how to spot that phishing emails, and you have systems in place to catch when suddenly someone starts logging in from a weird location – that’s tooling that we use for our clients. It costs a little bit of money, but to our mind it’s worth it. Suddenly, someone starts logging in from an odd location, it’ll raise flags and so forth.

If you have those layers, then maybe Microsoft Authenticator is a reasonable balance between security and accessibility, because certainly staff don’t love having to worry about a little USB key and plugging that into the computer. That is a pain. With the Authenticator app, no one is hardly anywhere ever without their phone within their arms reach. That’s just the way we live now. 

The Authenticator app has that convenience going for it, whereas the FIDO2 key, when you need it, might not be on you. And then you find that incredibly inconvenient, even if it’s just a matter of walking downstairs to the drawer where you keep your keys and grabbing it, walking back upstairs, and still it’s like, that sucked. So that’s why we say…

Carolyn Woodard: Well, with change management, often you’re trying to keep the new system as close and convenient to what it was. So, if people are already used to using the MFA application, if it’s possible to let them keep using that, that will lessen the change.

Steve Longenecker: And we think that’s okay. But maybe this is the chance to not enable SMS on the new system, to not enable email one-time passcode on the new system. 

You could do some change management here where you’re like, hey, everybody – maybe at a staff meeting – you need to make sure you set up Authenticator on your account. 

Reporting on MFA Methods

There are ways to get reports on who’s set that up and who hasn’t and so forth. Those reports are not entirely reliable. Technically, they’re reliable, but what our practical experience is that we’ve seen situations where it looks like everybody set up Authenticator on their phone. We complete the migration. It’s called a migration. We complete the migration. Now the organization is only using these authentication methods that don’t include SMS.

Then we have someone who’s been using SMS to get in. We tell them, well, it looks like you also have the Authenticator app set up and they’re like, I don’t know what you’re talking about. The reason is because they’d set it up, but they set it up on an iPhone that they got rid of three years ago. It’s still registered.

Carolyn Woodard: They never used it.

Steve Longenecker: Well, they may have used it then, but they don’t use it now and that phone, the battery is gone, or they don’t even have it anymore. They gave it to their kid who wiped it.

Carolyn Woodard: Your kid isn’t logging on to work?

Steve Longenecker: Well, no. If you gave it to your kid, you hopefully would wipe it so that the Authenticator app is gone. But Microsoft thinks you still have it. You didn’t tell them, right? 

So that’s the place where the report can fail you. 

Announce at an All-Staff Meeting

To our mind, it is worth getting in front of people in a staff meeting and saying, everybody needs to make sure that the Authenticator app works. Here’s the best way to do it.

Carolyn Woodard: If you need some help, here’s how you do it.

Steve Longenecker: Yeah. If you do that, then this is not necessarily the worst thing in the world. This could be a couple hours of work for an IT department and maybe a little bit of work for a few users. 

But if everyone’s using SMS now and the organization is very resistant to change management, then it might be either more work, or you give up and say, we’re going to tackle that later, we’re going to go ahead and enable SMS in the new method. 

But you can’t do nothing unless Microsoft delays again, which is not something that we know about yet.

Microsoft Unified Security Administration Deadline

Carolyn Woodard: Just to wrap up, I think what I heard you say was that you can do this right now. The new administration page exists right now, so you can go in, and you’ve got a couple of months to do it (deadline right now is Sept 30.)

Steve Longenecker: That’s right. Plenty of clients have done this already, presumably, because they’ve been talking about it for a while. 

We’re bringing it up now because we’re in the home stretch, this is supposedly imminent and we probably really do want to start saying, hey, do it. 

But to that point, that’s why I won’t be shocked at all if Microsoft announces that, not that they’re giving up, but that they’re just going to postpone it for six months, nine months, something like that, because that’s not atypical for them. They don’t want to screw over all their customers.

Carolyn Woodard: Well, and if Microsoft is finding that getting close to this deadline, they have a lot of questions coming in, or people who are saying, I’m the administrator, but I haven’t done this yet, then they might take pity on those of us who haven’t done it yet and extend it a little bit. 

So, it sounds like it’s something that your IT director needs to know about. If they haven’t talked with you already, if you’re an executive director or CFO or something, and you haven’t heard anything about this, maybe just check in with your IT person, or you’re out for a bit.

Steve Longenecker: It could be that it’s already done, it could be that you didn’t even notice, or it could be that they said it, but if no one has been attending to it, there’s time, but it probably is about now that you should be taking it seriously.

Carolyn Woodard: All right. Sounds good. Thank you so much, Steve.

Steve Longenecker: Sure. Yeah.

Photo by Max Harlynking on Unsplash