Azure-docs: Any documentation for migrating from Office365 MFA to Azure MFA

@tjoycebrook
Thanks for your feedback! We will investigate and update as appropriate.

Hi @tjoycebrook ,
The problem you are mentioning is a known issue. Currently when you convert to Azure AD Premium and want to use conditional based access there are some discrepancies. When you go from Enable/Enforce to a conditional access policy users have to re-register because when the you convert to conditional access policies you need to disable the user, and doing so deletes the flag which says that the user is registered and triggers a re-registration event.

If you call support they have a script that they can give you to help get around this issue. It is in the backlog for the product team to create a better migration tool but the fix has not been released yet. I would suggest calling support for the workaround script if you want to avoid the interrupt.

We will proceed to close this thread. If you have further questions, please leave a comment and tag either me or @MicrosoftGuyJFlo and we will gladly continue the conversation.

Thanks @MarileeTurscak-MSFT and @MicrosoftGuyJFlo. I opened a case with support and they claimed to have no knowledge of any script and explained that users would, indeed, have to re-register. Is there any other way to get that script to me?

Does this thread still hold true? We're still having this issue in April 2019. We have MFA Trusted List in 365 and are hitting up against the 50 IP limit. I've set up conditional access policies with an IP list. However, it doesn't apply as long as 365 list is in place. In my testing, I need to clear the 365 Trusted IP list AND set users to disabled for MFA in 365 for the Azure conditional access to take effect. When I do this, users are prompted to register (despite their info being filled out). Because of this I have not made the switch yet. It is also makes it exceedingly difficult to roll this out slowly or test with a small group.

@MarileeTurscak-MSFT and @MicrosoftGuyJFlo, please see my comment above!

@MarileeTurscak-MSFT @MicrosoftGuyJFlo I'm also interested in this script you mentioned. There are many customers who earlier has activated "O365-MFA" today, and I would like to be able to migrate them to AAD-CAP's instead without forcing them to re-register their MFA Config.

@Sculpin90 feel free to email me at [email protected] or email @MicrosoftGuyJFlo (email is on his page) and either of us can send you the script.

For anyone wondering about this, the script is now posted publicly here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa

@MarileeTurscak-MSFT / @tjoycebrook ,

Is per-user MFA in Azure nothing but office 365 MFA ? can you please clarify if there is any difference.

I believe per user is a 365 setting. (Technically you can see it is in Azure, but not really Azure based) Conditional access is how you roll MFA to users direct from Azure and 365 per user needs to be turned off prior to that.

@MarileeTurscak-MSFT / @tjoycebrook ,

Is per-user MFA in Azure nothing but office 365 MFA ? can you please clarify if there is any difference.