Fix “Unable to save the changes” error in System-preferred MFA

You might run into the weird error ‘Unable to save the changes’ when changing the setting under Authentication methods for Report suspicious activity or System-preferred multi factor authentication. You could enabling it or disabling it or setting it to Microsoft Managed.

Frustrating part to this error is that it doesn’t tell us much, and there is nothing in audit logs either.

Well, my first thought was something local as the error is very vague. hence, I proceeded with following basic troubleshooting.

• Disabled ad-blockers in browser.
• Tried private browser window and different browsers.
• Tried the same on a different device on mobile network. (goal was to try on a different network and different device)
• Attempt the same actions using a different global admin account.
• Collected browser trace and analyzed.

None of the above helped in resolving the issue nor it gave any additional insights into the cause of the error ‘Unable to save the changes’.

There have been incidents where the GUI didn’t work but performing the Graph explorer or Graph powershell worked. So, I decided to give Graph explorer a try.

I followed the below steps to try change the status of ‘Report suspicious activity’ from Microsoft Managed to Enabled.

• Went to Graph explorer.
• Ran the below code after making sure I gave the consent to correct permissions.

Method: PATCH
Request URL: https://graph.microsoft.com/beta/policies/authenticationmethodspolicy
Request body:
{
   "reportSuspiciousActivitySettings": {
       "state": "enabled",
       "voiceReportingCode": 7,
       "includeTarget": {
           "id": "all_users",
           "targetType": "group"
       }
   },
}

And, Tada! while it didn’t resolve the issue, it gave me a better error.

The said, ‘Not enough SSPR/UCP methods are enabled to satisfy SSPR Gates. [PolicyMigrationState: MigrationInProgress][numberOfSSprGates:2][NumberOfValidMethodsUsableforSSPR:1]’.

You could be aware that MFA and SSPR (Self Service Password Reset) policy method settings are getting migrated to the Authentication methods policy in Microsoft Entra ID. The migration can be manually done by admins or Microsoft will push it manually by September 2025.

You have 3 stages of migration settings in Entra ID for the new authentication methods policy.

• Pre-migration – Use policy for authentication only. Respect legacy policies.
• Migration In Progress – Use policy for authentication and SSPR. Respect legacy policies.
• Migration Complete – Use policy for authentication and SSPR. Ignore legacy policies.

You will only run into the ‘Unable to save the changes’ error if you have migration status set to ‘Migration In Progress’.

My SSPR settings had ‘Number of methods required to reset’ set to 2.

Number of methods required to reset - Defines the number of alternate methods of identification a user in this directory must have to reset their password

I had Mobile app notification and Mobile app code enabled as the SSPR methods.

Well that looks good, right? Nope. Mobile app notification and Mobile app code methods are essentially the Microsoft Authenticator app. This would only count as one method.

A question you may have here is – why did it allow me to save the settings if it didn’t meet the number of required methods to reset.

Well, that’s because your migration status is ‘in progress’, and Entra ID thinks you have more methods enabled under the new authentication methods policy that is usable for SSPR.

I checked my new Authentication methods policy and saw I had only Passkey (FIDO2) enabled under the settings.

Passkey (FIDO2) is not a valid method for SSPR, it can only be used for MFA.

This is the cause of the conflict. You have set the requirement to have users to do authentication via two different methods for password reset, however you only 1 method enabled that is eligible for password reset, which is Microsoft Authenticator.

How to resolve resolve the ‘Unable to save the changes error’

Solution 1: Enable an additional method that is capable of SSPR

You can do this either in the legacy SSPR settings for authentication methods or in the new authentication methods policy. I highly recommend that you enable it in the new authentication methods policy.

Solution 2: Change ‘Number of methods required to reset’

You could reduce the number of methods required to reset the password to 1. This would only require users to authenticate via one method when resetting their password. Always remember, the more the better.

Solution 3: Switch over completely to the new authentication methods policy

I highly recommend that you complete the migration of the authentication methods policy, however you could just switch over the SSPR methods to the new authentication methods policy. That’s one half of migration done.

Assuming you have ‘Number of methods required to reset’ set to 2. Go to the new Authentication methods policy and enable to methods that can be used for SSPR.

In the below example, I have enabled Microsoft Authenticator and SMS.

Make sure to keep Migration status ‘In progress’.

Now, let’s go back to the legacy page under self service password reset settings for SSPR methods. You may now uncheck all the methods and hit Save.

Make sure to still keep Migration status ‘In progress’ if you haven’t migrated MFA methods under the per-user MFA settings for verification methods.

Try making changes to the ‘System-preferred MFA or ‘Report suspicious activity’

Once you have followed any of the 3 solution listed above, you may try saving the changes you have for Report suspicious activity or System-preferred multifactor authentication.

You will be able to successfully save the changes without any errors.