Microsoft Announces Mandatory Multi-Factor Authentication For All Azure Users

Microsoft Announces Mandatory Multi-Factor Authentication For All Azure Users


As cyberattacks become more frequent, sophisticated, and damaging, protecting your digital assets has never been more crucial. In line with Microsoft’s $20 billion investment in security over the next five years and their commitment to enhancing security across it's services in 2024, Microsoft is now introducing mandatory multi-factor authentication (MFA) for all Azure sign-ins.

The Need for Enhanced Security

A cornerstone of Microsoft’s Secure Future Initiative (SFI) is safeguarding identities and secrets. Microsoft's goal is to minimize the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, as well as user and application authentication and authorization. To achieve this, they are taking the following key actions:

  • Protecting Identity Infrastructure: Implementing rapid and automatic rotation of signing and platform keys, secured with hardware storage and protection such as Hardware Security Modules (HSM) and confidential compute.
  • Strengthening Identity Standards: Ensuring all applications adopt standard SDKs to enhance security.
  • Securing User Accounts: Guaranteeing that all user accounts are safeguarded with securely managed, phishing-resistant MFA.
  • Protecting Applications: Ensuring all applications use system-managed credentials, such as Managed Identity and Managed Certificates.
  • Enhancing Identity Tokens: Securing 100% of identity tokens with stateful and durable validation.
  • Partitioning Keys: Adopting more fine-grained partitioning of identity signing keys and platform keys.
  • Preparing for Post-Quantum Cryptography: Ensuring identity and public key infrastructure (PKI) systems are ready for the challenges of a post-quantum cryptography world.

A crucial step in this initiative is requiring all Azure accounts to be protected with securely managed, phishing-resistant MFA. According to recent Microsoft research, MFA can block over 99.2% of account compromise attacks, making it one of the most effective security measures available.


Implementing Mandatory Azure MFA

Starting in the second half of 2024, Microsoft will begin rolling out mandatory MFA for all Azure users in phases, allowing customers time to plan their implementation:

  • Phase 1: Beginning in October 2024, MFA will be required to sign in to the Azure portal, Microsoft Entra admin center, and Intune admin center. This will gradually extend to all tenants worldwide. Other Azure clients, such as Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools, will not be impacted during this phase.
  • Phase 2: In early 2025, MFA enforcement will expand to Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools.

Starting today, Microsoft will notify all Entra global admins 60 days in advance via email and Azure Service Health Notifications about the enforcement start date and required actions. Additional notifications will be available through the Azure portal, Entra admin center, and the M365 message center.

For customers with complex environments or technical challenges, Microsoft is open to reviewing extended timeframes for mandatory MFA preparation.

Flexible MFA Options with Microsoft Entra

Organizations can enable their users to implement MFA through several options offered by Microsoft Entra:

  • Microsoft Authenticator: Users can approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes, providing a robust layer of security.
  • FIDO2 Security Keys: Access without usernames or passwords using external security keys that support Fast Identity Online (FIDO) standards.
  • Certificate-Based Authentication: Enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC) with X.509 certificates for secure sign-ins.
  • Passkeys: A phishing-resistant authentication method using Microsoft Authenticator.
  • SMS or Voice Approval: While less secure, this method is still supported as described in Microsoft's documentation here.

External MFA solutions and federated identity providers will remain compatible with Azure, provided they are configured to send an MFA claim.

To ensure a seamless transition and avoid business interruptions, Microsoft encourages all customers to begin planning for compliance as early as possible.

Emmanuel Sanches

IT Senior Manager | IT Governance | IT Infrastructure | IT Operations | Cybersecurity | Information Security | IT Service Delivery | Lead Auditor | LGPD | IT Support | Digital Transformation

2mo

This Azure initiative is very welcome, as in addition to significantly strengthening security, it helps organizations with difficulties in obtaining everyone's buy-in in this process. The phased adoption strategy is very suitable.

Like
Reply
Marco Bera

Technical Director: Internet of things (IOT), Networking and IT and OT cybersecurity |360° learning passionate

2mo

This is a key step. I believe that all cloud and saas provider will do the sale at some point, it's just matter of time

Like
Reply

Better late than never, if you want to protect your organization this is a must and its one of the requirement for security compliance.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics