Microsoft Mandates MFA for All Azure Sign-Ins

Written by

Microsoft has announced it is mandating multi-factor authentication (MFA) for all Azure sign-ins.

Customers can select from multiple MFA options through Microsoft Entra to meet their needs. These are:

  • Users approving sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes though Microsoft Authenticator
  • FIDO2 security keys, enabling sign-ins without a username or password using an external USB near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards
  • Certificate-based authentication, which enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC).
  • Passkeys, which are available using Microsoft Authenticator
  • SMS or voice approval

Microsoft added that external MFA solutions and federated identity providers will continue to be supported and will meet the MFA requirement if they are configured to send an MFA claim.

The requirement applies to all users who perform any Create, Read, Update, Delete (CRUD) operation. However, end users who are accessing apps, websites or services hosted on Azure, but not signing into the Azure portal, CLI or PowerShell, are not subject to this requirement.

Additionally, Workload Identities, such as managed identities and service principals, will not be impacted by this enforcement.

Authentication requirements for end users will still be controlled by the app, website or service owners.

Read now: Is MFA Enough to Protect You Against Cyber-Attacks?

Phased Roll-Out of Mandatory MFA

Microsoft revealed the mandatory MFA rollout will begin in the second half of 2024, with all Entra global admins to be given a 60-day advance notice via email and through Azure Service Health Notifications.

  • Phase 1 will begin in October 2024, when MFA is required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide
  • Phase 2 will begin in early 2025, when MFA enforcement will commence for Azure CLI, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools

Microsoft will consider extended timeframes for customers with complex environments or technical barriers.

Customers will need to implement the new MFA requirement on top of any access policies they’ve configured in their tenants.

For organizations that currently have Microsoft defaults enabled or a Conditional Access policy through which users sign into Azure with MFA, users will not see a change to existing log in practices.

Microsoft wrote: “Our goal is to deliver a low-friction experience for legitimate customers while ensuring robust security measures are in place. We encourage all customers to begin planning for compliance as soon as possible to avoid any business interruptions.”

Microsoft Pledges to Strengthen its Security

The Azure MFA requirement is part of the Microsoft’s Secure Future Initiative (SFI), unveiled in November 2023, which aims to ensure the company can better respond to the increasing speed, scale and sophistication of today’s cyber-threats.

One of the pillars of the initiative is dedicated to protecting identities and secrets, with Microsoft pledging to protect 100% of user accounts with securely, managed, phishing-resistant MFA.

In June 2024, Microsoft President Brad Smith accepted criticisms of the firm’s cybersecurity practices in a Cyber Safety Review Board (CSRB) report, which it said enabled Chinese state hackers access the emails of US government officials in the summer of 2023.

Smith pledged in testimony to US Congress to strengthen Microsoft’s cybersecurity protections across the board, including the security of customer accounts.

Image credit: monticello / Shutterstock.com

What’s hot on Infosecurity Magazine?