Microsoft is set to enforce mandatory multi-factor authentication (MFA) for all Azure sign-in attempts beginning in October 2024, reinforcing its commitment to safeguarding customer accounts and blocking unauthorized access.
Research conducted by Microsoft demonstrates that enabling MFA can prevent over 99.2 percent of account compromise attacks, making this move a pivotal step in strengthening cloud security for its customers.
MFA for Administrative Portals
Starting in the second half of 2024, the first phase of enforcement will require every account accessing key Azure administrative portals to complete MFA when performing any Create, Read, Update, or Delete (CRUD) operations.
Affected applications include the Azure portal, Microsoft Entra Admin Center, and Microsoft Intune Admin Center. Beginning February 2025, the Microsoft 365 admin center will also fall under Phase 1 enforcement.
Users who already employ MFA, passwordless sign-in, or FIDO2 passkeys will notice no change. Those without MFA configured will be prompted at sign-in.
To accommodate complex environments, tenants can postpone Phase 1 enforcement until September 30, 2025. Global Administrators may select a new enforcement date through the Azure portal, with postponement extending risk, as accounts without MFA remain more vulnerable to attacks.
MFA for Command-Line, API, and IaC Tools
Phase 2 will begin on October 1, 2025, expanding MFA requirements to Azure CLI, Azure PowerShell, Azure mobile app, Infrastructure-as-Code (IaC) tools, and control-plane REST API operations that create, update, or delete resources.
Read-only actions will remain exempt. This phase ensures that scripted and automated administrative actions are similarly protected against credential theft and compromise.
Microsoft recommends migrating user-based service accounts used for automation to workload identities, such as managed identities or service principals, to avoid MFA prompts in non-interactive scenarios.
Existing OAuth flows based on Resource Owner Password Credentials (ROPC) are incompatible with MFA, and developers must update applications that rely on these flows by adopting modern authentication libraries in MSAL or Azure Identity.
Preparing and Testing for Enforcement
Organizations should review current Conditional Access policies to ensure they align with the mandatory MFA requirement.
Policies targeting Azure administrative portals must require MFA without exceptions, while more restrictive policies, such as those enforcing phishing-resistant MFA, continue to apply.
Tenants without Conditional Access can enable built-in security defaults or enforce them themselves via Azure Policy assignments.
Testing is encouraged before enforcement to prevent disruptions. Administrators can manually enable MFA for test users or leverage Conditional Access policy templates to simulate enforcement.
Break-glass or emergency access accounts will also require MFA; Microsoft suggests updating these accounts to use certificate-based authentication or FIDO2 passkeys for higher assurance.
By mandating MFA across all Azure sign-in paths, Microsoft aims to substantially reduce the attack surface and protect critical cloud resources from unauthorized access. Organizations that act now to configure and test MFA will ensure seamless continuity of operations when enforcement begins.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 for all Azure sign-in attempts beginning in October 2024.){kind=link}