As of October 2024, Microsoft will require multifactor authentication (MFA) on all critical administrative access points to Azure and Microsoft 365.
This policy, driven by research showing MFA blocks over 99.2 percent of account compromise attacks, aims to elevate security across the cloud ecosystem.
Organizations already using MFA, passwordless, or passkey (FIDO2) sign-in will notice no change. Others must prepare for a phased rollout and verify their configurations before enforcement dates.
Scope of Enforcement
Enforcement applies to both Azure and Microsoft 365 admin portals.
Phase 1 begins in October 2024 for the Azure portal (AppID: c44b4083-3bb0-49c1-b47d-974e53cbdf3c), Microsoft Entra admin center, and Microsoft Intune admin center.
From February 2025, MFA expands to the Microsoft 365 admin center (https://admin.microsoft.com).
Phase 2 starts October 1, 2025, covering Azure CLI (AppID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46), Azure PowerShell (AppID: 1950a258-227b-4e31-a9cf-717495945fc2), Azure mobile app, Infrastructure as Code tools, and Control Plane REST APIs.
Read-only operations remain exempt in Phase 2.
All user accounts performing Create, Update, or Delete operations must complete MFA once enforcement begins; break-glass and emergency access accounts are also included.
| Application | App ID | Enforcement Start |
|---|---|---|
| Azure portal | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Oct 2024 |
| Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Oct 1, 2025 |
| Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | Oct 1, 2025 |
| Microsoft 365 admin center | N/A (portal.office.com/adminportal/home) | Feb 2025 |
Enforcement Phases and Technical Guidance
Administrators should validate MFA status via Azure Policy or Conditional Access.
Example JSON for a CA policy:
json{
"if": {
"allOf": [
{"field": "identity.authenticationMethod", "equals": "password"},
{"field": "request.appId", "in": [
"c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
"04b07795-8ddb-461a-bbee-02f9e1bf7b46"
]}
]
},
"then": {
"effect": "deny"
}
}
Scripted postponement is available for complex environments: Global Administrators can run the following PowerShell snippet to defer Phase 1 until September 30, 2025:
powershellConnect-AzureAD
Set-AzureADPolicy -Id "RequireMfaForAdmin" -Definition @('{"enforcementStart":"2025-09-30"}')
Customers using the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant must migrate to supported flows in MSAL or Azure. Identity.
Deprecated methods include PublicClientApplication.AcquireTokenByUsernamePassword the UsernamePasswordCredential class.
Refer to language-specific MSAL guidance to update to interactive or client credential flows.
Preparing for MFA Enforcement
To ensure a seamless rollout, organizations should:
- Inventory Accounts – Use the Azure CLI to list users without MFA: bash
az ad user list --query "[?authentication.methods[?methodType=='password']]" --output table - Migrate Service Accounts – Transition user-based service accounts to workload identities (managed identities or service principals).
- Enable Phishing-Resistant Methods – Encourage passkey (FIDO2) or certificate-based authentication.
- Test Policies – Utilize Conditional Access templates in a staging tenant and monitor sign-in logs for MFA prompts.
- Request Extensions – If needed, defer Phase 2 enforcement until July 1, 2026, via the Azure portal or the
Set-AzureADPolicycmdlet.
Mandatory MFA represents a critical defense against credential-based attacks.
By following Microsoft’s phased approach, leveraging policy as code, and adopting secure authentication methods, organizations can protect high-value administrative interfaces and maintain uninterrupted access to cloud resources.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=This policy, driven by research showing MFA blocks over 99.2 percent of account compromise attacks, aims to elevate security across the cloud ecosystem.){kind=link}