Mandatory multifactor authentication (MFA) is being enforced for all Microsoft Cloud users by October 15, 2024

As part of Microsoft’s Secure Future Initiative (SFI) one focus is dedicated to protecting identities and secrets to reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization.

Recent research by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available.

In May 2024, Microsoft talked about implementing automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft, including tenants for development, testing, demos, and production. Microsoft is extending this best practice of enforcing MFA to customers by making it required to access Azure. In doing so, it will not only reduce the risk of account compromise and data breach for customers, but also help organizations comply with several security standards and regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and National Institute of Standards and Technology (NIST).

In support of these standards Microsoft has announced mandatory MFA when accessing Azure, Entra and Intune admin portals. Customer must take action in their tenants prior to October 15, 2024.

Preparing for mandatory Azure MFA
Required MFA for all Azure users will be rolled out in phases starting in the second half of calendar year 2024 to provide Microsoft customers time to plan their implementation: 

• Phase 1: Starting in October, MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools. 
• Phase 2: Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.

Microsoft will send a 60-day advance notice to all Entra global admins by email and through Azure Service Health Notifications to notify the start date of enforcement and actions required. Additional notifications will be sent through the Azure portal, Entra admin center, and the M365 message center.

For customers who need additional time to prepare for mandatory Azure MFA, Microsoft will review extended timeframes for customers with complex environments or technical barriers.

Available MFA Methods 

• All supported MFA methodsare available for you to use and there are no changes to the authentication method features as part of this requirement. Support for external MFA solutions is in public preview with external authentication methods, and can be used to meet the MFA requirement. The deprecated Conditional Access Custom Controls preview will not satisfy the MFA requirement, and you should migrate to the external authentication methods preview to use an external solution with Microsoft Entra ID.
• External multifactor authentication solutions and federated Identity Provider (IdP), such as Active Directory Federation Services, will continue to be supported and will meet the MFA requirement if configured to send an MFA claim. Federated identity provider must send an MFA claim.
  
  
  

How to use Microsoft Entra for flexible MFA
Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:

• Microsoft Authenticator allows users to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes. Augment or replace passwords with two-step verification and boost the security of your accounts from your mobile device.
• FIDO2 security keys provide access by signing in without a username or password using an external USB, near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards in place of a password.
• Certificate-based authentication enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC). Authenticate using X.509 certificates on smart cards or devices directly against Microsoft Entra ID for browser and application sign-in.
• Passkeys allow for phishing-resistant authentication using Microsoft Authenticator.
• Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval as described in this documentation.

User accounts
Microsoft indicated that all users signing into the Azure portal, Azure CLI, Azure PowerShell and IaC tools, such as Azure Developer CLI, Bicep, Terraform and Ansible to perform any CRUD (Create, Read, Update, Delete) operation will require MFA when the enforcement begins. End users who are accessing apps, websites or services hosted on Azure, but not signing into the Azure portal, CLI or PowerShell, are not subject to this requirement from Microsoft. Authentication requirements for end users will still be controlled by the app or service owners.

Automation accounts
Workload Identities, such as managed identities and service principals, will not be impacted by this enforcement. If you are leveraging user identities as a service account running automation (including scripts or other automated tasks), those will be required to use MFA once enforcement begins. Our guidance is that user identities are not recommended for automation and customers should migrate those to Workload Identities.


Implementation
This requirement for MFA at sign-in is implemented by Azure. Microsoft Entra ID sign-in logs will show it as the source of the MFA requirement. 

This requirement will be implemented on top of any access policies you have configured in your tenant. For example, if your organization chose to retain Microsoft’s security defaults, and you currently have security defaults enabled, your users will see no change in behavior as MFA is already required for Azure management. If your tenant is using Conditional Access policies in Microsoft Entra and you already have a Conditional Access policy through which users sign into Azure with MFA, then your users will not see a change. Similarly, if you have existing more restrictive Conditional Access policies in place targeting Azure that require stronger authentication, such as phishing-resistant MFA, then those policies will continue to be enforced, and your users will not see any changes.

 
Helient strongly recommends preparation for Microsoft’s MFA enforcement as soon as possible. If you would like more information or assistance on helping your organization and firm prepare and implement best practices, please contact our industry-leading experts at service@helient.com.