Azure users are now required by Microsoft to implement Multi-Factor Authentication (MFA)
Microsoft has announced a firm mandate for Multi-Factor Authentication (MFA) across the Azure portal, Microsoft Entra admin center, and Intune admin center, starting from October. This move is part of the tech giant's Secure Future Initiative, an effort to overhaul its cybersecurity strategy by integrating key security features into its platforms and services.
The MFA mandate is designed to enhance the security of these portals by supporting a variety of strong authentication methods. Users can choose from options such as the Microsoft Authenticator app, Authenticator Lite (available in Outlook), Windows Hello for Business (biometric or PIN-based sign-in), Passkey (FIDO2) devices, certificate-based authentication, Temporary Access Pass (TAP), OATH hardware and software tokens (preview), SMS text messages, and voice call.
Microsoft encourages the use of Conditional Access policies for granular MFA enforcement scenarios, where MFA may be required based on user location, device compliance, or risk levels. Security defaults also enable a baseline MFA experience primarily through the Microsoft Authenticator.
For automation scenarios in Azure, such as PowerShell scripts, MFA-enabled user identities are incompatible due to the need for interactive authentication. Instead, non-interactive identities like managed identities or service principals without MFA are recommended.
Microsoft is being flexible with the types of MFA customers can use to meet the requirement for Azure. The company will review requests from customers with complex environments or technical barriers for additional time to implement mandatory MFA.
In early 2025, Microsoft plans to phase in MFA at sign-in for Azure Command Line Interface, Azure PowerShell, Azure mobile app, and infrastructure as code tools.
This MFA mandate comes in response to a series of high-profile attacks that have targeted various systems. For instance, a ransomware attack against Change Healthcare in February was attributed to a system without MFA, and a wave of attacks targeting more than 100 Snowflake customers were also linked to systems without MFA.
Following a withering report from the federal Cyber Safety Review Board, Microsoft CEO Satya Nadella has made security the top priority for the company. The report criticized the company for prioritizing speed to market over security.
Microsoft began sending 60-day notices to all Entra administrators impacted by the change on Thursday. The company emphasizes the importance of this change in ensuring the security of its platforms and services.
- To bolster its cyberscurity stance, Microsoft has mandated Multi-Factor Authentication (MFA) for the Azure portal, Microsoft Entra admin center, and Intune admin center from October, a response to the rising number of high-profile attacks linked to systems without MFA, such as the ransomware attack against Change Healthcare in February and the wave of attacks targeting more than 100 Snowflake customers.
- As part of Microsoft's Secure Future Initiative, users have several options for MFA, including the Microsoft Authenticator app, Authenticator Lite, Windows Hello for Business, Passkey devices, certificate-based authentication, Temporary Access Pass, OATH hardware and software tokens, SMS text messages, and voice call, to enhance the security of these portals using strong authentication methods.
){kind=link}