Microsoft is stepping up its Azure account protection game with mandatory multi-factor authentication (MFA) that will be enforced on all Azure sign-ins starting October.
Mandatory Azure MFA, the tech giant says, is meant to improve the security of accounts across its services, and builds upon previously announced plans to enforce the protective measure across ID tenants within Microsoft.
Starting the second half of 2024, Microsoft will roll out required MFA for all Azure users, with notifications delivered to customers two months prior to the enforcement, to ensure they have time to prepare for it.
In October, mandatory MFA will be turned on for Azure portal, Microsoft Entra admin center, and Intune admin center, with the enforcement rolled out gradually to all tenants, worldwide.
“This phase will not impact other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools,” Microsoft says.
In early 2025, the tech giant will start enforcing MFA for all sign-ins to Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools.
“Beginning today, Microsoft will send a 60-day advance notice to all Entra global admins by email and through Azure Service Health Notifications to notify the start date of enforcement and actions required. Additional notifications will be sent through the Azure portal, Entra admin center, and the M365 message center,” the company said on Friday.
Microsoft said it would review extended timeframes for customers with complex environments or technical barriers, which may require additional time to prepare for the change.
According to the tech giant, mandating MFA for Azure sign-ins is part of its commitment to improve the security of its users, as this will reduce the risk of account compromise and data breaches and will help customers comply with security standards and regulations.
MFA, Microsoft says, can block more than 99.2% of account compromise attacks, and organizations have numerous options to enable its use, including Microsoft Authenticator, FIDO2 security keys, certificate-based authentication using personal identity verification (PIV) and common access card (CAC), passkeys, and the less secure SMS or voice approvals.
Last year, the US cybersecurity agency CISA published guidance on how organizations can protect against phishing and other threats by implementing phishing-resistant MFA.
Related: Unlocking the Front Door: Phishing Emails Remain a Top Cyber Threat Despite MFA
Related: AWS Announces Authentication and Malware Protection Enhancements
Related: Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report
Related: Ongoing Azure Cloud Account Takeover Campaign Targeting Senior Personnel
