Microsoft is set to implement mandatory multi-factor authentication (MFA) for all Azure sign-ins, a move aimed at enhancing security measures for its users. The plan for this transition will be carried out in two phases, with the first phase scheduled for October 2024. During this phase, MFA will be required to sign-in to the Azure portal, Microsoft Entra admin center, and Intune admin center, with a gradual roll-out to all tenants.
The second phase is expected to take place in early 2025, where MFA will be mandatory for signing in to Azure Command Line Interface (CLI), Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools. It is important to note that end users who access applications, websites, or services hosted on Azure but do not sign into the specified applications are not required to use MFA.
According to Microsoft, all users performing any Create, Read, Update, or Delete (CRUD) operation will need MFA once the enforcement begins. Workload identities such as managed identities and service principals will not be affected by the MFA enforcement. Organizations can enable MFA through Microsoft Entra using various methods, including FIDO2 security keys, certificate-based authentication, passkeys, sign-ins from a mobile app with push notifications, biometrics, or one-time passcodes, SMS-based authentication, or voice call verification (the least secure option, to be avoided if possible).
Microsoft representatives, Naj Shahid and Bill DeForeest, Principal Product Managers of Azure Compute, have mentioned that external MFA solutions and federated identity providers will continue to be supported and will meet the MFA requirement if configured to send an MFA claim. Customers who may require additional time to prepare for mandatory MFA for sign-ins, due to complex environments or technical barriers, will receive a temporary reprieve until March 15, 2024. Global Administrators will have until October 15, 2024, to postpone the start date via the Azure portal.
This move by Microsoft is part of its ongoing efforts to increase security measures for its users. In the past, the company introduced Microsoft-managed Conditional Access policies in Entra ID (formerly Azure Active Directory) to promote MFA use for enterprise accounts. The ultimate goal of this latest development is to reduce the risk of account compromise and data breaches for Azure customers and to assist with compliance requirements such as PCI DSS, HIPAA, GDPR, and NIST.
In order to ensure a smooth transition, Microsoft will send a 60-day advance notice to all Entra global admins through email and Azure Service Health Notifications to notify the start date of enforcement and required actions. Additional notifications will be communicated through the Azure portal, Entra admin center, and the M365 message center.
Overall, Microsoft’s decision to make MFA mandatory for all Azure sign-ins reflects its commitment to enhancing security measures and protecting user data in an increasingly digital world. By implementing these changes, Microsoft aims to provide a safer and more secure environment for its customers while also ensuring compliance with industry standards and regulations.