Mandatory MFA for Azure sign-ins is coming
Microsoft is making multi-factor authentication (MFA) – “one of the most effective security measures available” – mandatory for all Azure sign-ins.
Preparing for mandatory MFA for Azure
The plan is for the shift to happen in two phases:
- October 2024: MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center (gradual roll-out to all tenants)
- Early 2025: MFA required for signing in for Azure Command Line Interface (CLI), Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools.
“All users who sign into the applications […] to perform any Create, Read, Update, or Delete (CRUD) operation will require MFA when the enforcement begins. End users who access application, websites, or services hosted on Azure, but don’t sign into the listed applications, aren’t required to use MFA,” Microsoft explains.
Workload identities (e.g., managed identities and service principals) won’t be impacted by MFA enforcement.
Organizations can enable MFA through Microsoft Entra via:
- FIDO2 security keys
- Certificate-based authentication (using personal identity verification and common access card)
- Passkeys (by using Microsoft Authenticator)
- Sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes (via Microsoft Authenticator)
- SMS-based authentication or voice call verification (the least secure option, to be avoided if possible)
“External multifactor authentication solutions and federated identity providers will continue to be supported and will meet the MFA requirement if they are configured to send an MFA claim,” Naj Shahid and Bill DeForeest, Principal Product Managers, Azure Compute, said.
Customers who need additional time to prepare for mandatory MFA for sign-ins (e.g., due to complex environments or technical barriers) will get a temporary reprieve, until March 15, 2024. Global Administrators have time until October 15, 2024, to postpone the start data (via the Azure portal).
Pushing for increased security
Microsoft has previously introduced Microsoft-managed Conditional Access policies in Entra ID (formerly Azure Active Directory) to increase MFA use for enterprise accounts.
The goal of this latest move is to reduce the risk of account compromise and data breach for Azure customers, and to help with compliance (PCI DSS, HIPAA, GDPR, and NIST).
“Beginning today, Microsoft will send a 60-day advance notice to all Entra global admins by email and through Azure Service Health Notifications to notify the start date of enforcement and actions required. Additional notifications will be sent through the Azure portal, Entra admin center, and the M365 message center,” Shahid and DeForeest concluded.