Beat the Clock: A Free PowerShell Script for the Sept. 30 Legacy MFA Retirement Deadline

A PowerShell script built for 1,200+ tenants that provides a data-driven path to meet the deadline and genuinely improve security.

With Microsoft's deadline to deprecate legacy per-user MFA settings just weeks away, the pressure is on. To cut through the noise and panic, I’m releasing the MFA Migration Assessment Script—the exact PowerShell tool I developed and used to analyze over 1,200 customer tenants.

This isn't just another compliance checker. This tool was born from a real-world need to answer critical questions quickly and at scale:

1. What is my actual migration risk? (Hint: It’s lower than you think).

2. Where are my most urgent security gaps? (Hint: It’s your admins).

3. How can I create a realistic, data-driven action plan?

When I began this project, I expected to find a complex migration crisis. Instead, the data from this script crystallized a much simpler truth: perfect security is the enemy of better security. The deadline provided the perfect opportunity to help clients overcome implementation delays and take immediate action on critical security improvements.

This article gives you the script, breaks down the surprising patterns the data confirmed, and outlines a new, pragmatic approach to security that you can implement today. Let's move from crisis management to strategic improvement.

---

From Data to Action: What the Script Delivers

Before diving into the lessons learned, it's important to understand what the script actually produces. It doesn't just output raw data; it generates a suite of professional, actionable reports designed to guide conversations with stakeholders and drive immediate action.

When you run the assessment, you get:

1. The Executive Migration Report (.docx)

This is the strategic overview for management and clients. It provides a clear, two-phase plan that separates the immediate deadline from long-term security goals. Key features include:

• Executive Summary: An at-a-glance view of MFA coverage, migration readiness, and total users needing assistance.

• Phase 1 - Meet the Deadline: A zero-disruption plan to become compliant by September 30 by preserving all existing user authentication methods.

• Phase 2 - Security Enhancement: A 4-6 week roadmap to systematically improve security by removing insecure methods and deploying FIDO2 keys for admins.

• Privileged User Security Plan: A specific analysis of administrators, highlighting who already has phishing-resistant MFA and who needs FIDO2 security keys.

---

2. The Critical Action List (.docx)

This report cuts through the noise and highlights the most severe risks that require attention today. It lists:

• All Users with No MFA: A simple, actionable list of accounts with only password protection.

• Privileged Users Needing Secure MFA: A list of all administrators and their current, often insecure, authentication methods.

---

3. Automated User Communication Toolkit

The script saves hours of administrative work by identifying exactly who needs to upgrade their security and generating the tools to contact them. This includes:

• Communication Summary: A project plan listing the users who only have insecure methods and a timeline for contacting them.

• Personalized Email Templates: For each user requiring assistance, a pre-written, personalized email is generated. It explains what they need to do, why, and by when, and even references their current login method (e.g., "You currently use text message codes") to make it clear and relatable.

These outputs provide the data-driven foundation for the pragmatic approach I now advocate. They enable us to have constructive conversations, prioritize effectively, and execute efficiently.

---

What the Data Confirmed: Turning Insight into Action

Running this assessment at scale didn't uncover new types of vulnerabilities; instead, it provided hard data that confirmed several challenges common across the industry. This allowed us to shift from giving general advice to building targeted, client-specific action plans.

The Migration "Task" That Wasn't a "Crisis"

• The data consistently showed that 95% of tenants could migrate with zero user disruption.

• Users without MFA weren't at risk of losing access—they never had MFA to begin with. This reframed the conversation from a risky migration to a straightforward security opportunity.

• The real issue wasn't the migration timing but using this event to improve the ongoing security posture.

The Administrator Action Plan

• The data confirmed a widespread industry challenge: approximately 60% of tenants had at least one privileged user without MFA.

• While securing admins has always been our top priority, the script allowed us to pinpoint the exact accounts and present a clear, urgent case for remediation.

• This wasn't about a new September 2025 problem—it was about using the deadline's urgency to solve a "right now" problem that clients had previously delayed acting on.

The Device Management Paradox

• We observed a common pattern of customers delaying Conditional Access deployment while waiting for "perfect" device compliance.

• Meanwhile, users (including administrators) continued accessing critical systems without MFA.

• This insight helped us guide clients to understand that perfect device management was preventing any MFA enforcement.

---

Evolution of My Consulting Approach

This data-driven approach forced me to evolve from prescriptive security absolutism to pragmatic improvement advocacy.

Before: The Absolutist Approach

• "You need Conditional Access, but first enroll all devices in Intune"

• "Everyone must use Microsoft Authenticator"

• "No exceptions, no compromises"

• Result: Customers paralyzed by complexity, implementing nothing

After: The Pragmatic Approach

• "Let's start with basic Conditional Access for admins, users and high-risk locations"

• "Users resistant to phone enrollment? Here are FIDO2 security keys"

• "Device management can be added later—some protection is better than none"

• Result: Customers taking concrete steps toward better security

---

The New Conditional Access Philosophy

I've completely changed my approach to Conditional Access deployment:

Phase 1: Foundation Policies (No Dependencies)

1. Admin Protection: Require MFA for all administrative roles.

2. User Protection: Require MFA for all users

3. Guest User Controls: Require MFA for external users.

4. Location-Based Protection: Block sign-ins from high-risk countries.

5. Legacy Authentication Blocking: Prevent basic authentication attacks.

Phase 2: Enhanced Policies (When Ready)

1. Device Compliance: Add device-based requirements as Intune deployment progresses.

2. Application Protection: Granular controls for sensitive applications.

3. Risk-Based Policies: Dynamic protection based on sign-in and user risk.

The key insight: every bit helps. A customer with basic admin MFA is infinitely more secure than one waiting for perfect device compliance.

---

Addressing the FIDO2/Passwordless Opportunity

One unexpected benefit of the MFA migration conversation was introducing customers to modern authentication methods:

The Phone Enrollment Challenge

Many customers struggled with Microsoft Authenticator adoption because:

• Users didn't want work applications on personal phones.

• BYOD policies created friction.

• Mobile device management wasn't mature enough.

The FIDO2 Solution

Security keys offered an elegant alternative:

• No phone required - works with any device.

• Phishing-resistant - stronger security than SMS or authenticator apps.

• User-friendly - simple tap-to-authenticate experience.

• Cost-effective - $20-50 per administrator for significant security improvement.

For administrators especially, FIDO2 keys provide:

• Protection against sophisticated phishing attacks.

• Reduced dependency on personal devices.

• Simplified compliance with security policies.

---

Practical Recommendations: Meeting Customers Where They Are

Based on hundreds of tenant assessments, here's the roadmap I now recommend:

Immediate Actions (Week 1)

• Inventory privileged users without MFA (use the assessment script).

• Deploy basic Conditional Access for administrators.

• Order FIDO2 keys for high-value administrative accounts.

Short-term Goals (1-3 Months)

• Complete MFA registration for all users (not just administrators).

• Implement location-based policies to block obvious threats.

• Begin phased device management enrollment.

Long-term Vision (6-12 Months)

• Deploy passwordless authentication for administrators.

• Implement comprehensive device compliance policies.

• Add risk-based conditional access for dynamic protection.

---

The Power of Constructive Conversations

The most important lesson from this project wasn't technical—it was about communication. Instead of leading with fear ("You're vulnerable!") or complexity ("Here's a 50-step deployment plan"), I learned to:

1. Start with data - present customers with their specific risk profile, turning general advice into concrete action items.

2. Separate urgent from important - distinguish compliance deadlines from security improvements.

3. Offer multiple paths - FIDO2 keys for users who won't use phones, basic CA policies for those not ready for full MDM.

4. Celebrate progress - acknowledge every security improvement, however small.

---

Making the Script Available to the Community

This assessment script represents hundreds of hours of tenant analysis and customer conversations. I'm releasing it to the community because:

• Every MSP managing multiple tenants faces these same challenges.

• Internal IT teams need data-driven approaches to security planning.

• The security community benefits from practical tools over theoretical frameworks.

The script provides:

• Automated tenant assessment and reporting.

• Clear separation of migration requirements from security opportunities.

• Actionable recommendations based on current posture.

• Professional reports for stakeholder communication.

---

Key Takeaways for the Security Community

1. Perfect is the enemy of better - Don't let comprehensive security plans prevent basic improvements.

2. Meet customers where they are - Understand their constraints and provide viable paths forward.

3. Data drives better decisions - Assessment tools create more productive conversations than assumptions.

4. Every bit helps - Basic Conditional Access is infinitely better than no Conditional Access.

5. Options reduce resistance - FIDO2 keys, passkeys, and authenticator apps give users choices.

---

Conclusion: From Compliance Task to Strategic Improvement

What began as a Microsoft compliance deadline became an opportunity to have better security conversations with customers. By building tools that accurately assess risk, providing multiple implementation paths, and focusing on incremental improvement rather than perfection, we can help customers make meaningful security progress.

The MFA migration deadline is just the beginning. The real opportunity lies in using this transition as a catalyst for broader security enhancement—one that meets customers where they are and provides practical paths forward.

---

The MFA Migration Assessment Script is available on:

https://github.com/jjrmilner/MFA-to-Authentication-Methods-Policy-Migration-Tool

It includes comprehensive tenant analysis, dual risk assessment (migration vs. security), and actionable recommendations for Microsoft 365 environments.

About the Author: JJ Milner is a Microsoft MVP responsible for over 1,200 customer tenants. He is a tech entrepreneur, founder and chief security architect for Global Micro Solutions.

---

Call to Action

For MSPs and IT Consultants:

• Download the assessment script and customize it for your customer base.

• Share your own experiences with pragmatic security deployments.

• Join the conversation about meeting customers where they are in their security journey.

For IT Teams:

• Use the script to assess your own environment.

• Start with basic Conditional Access policies—don't wait for perfect device management.

• Consider FIDO2 security keys for administrators who resist phone-based MFA.

For the Security Community:

• Share practical tools and approaches that work in real environments.

• Focus on incremental improvement over theoretical perfection.

• Remember that better security today is worth more than perfect security someday.

The goal isn't to be right about security—it's to help customers be more secure. Sometimes that means compromising on perfect implementation to achieve meaningful improvement.

Comments

[problemaker]

Hi, I dont find the script in th GitHub repo (https://github.com/jjrmilner/MFA-to-Authentication-Methods-Policy-Migration-Tool) you mentioned in the article.