Mandatory Multifactor Authentication Coming to Azure

Starting in October, Microsoft will require multifactor authentication (MFA) for all Azure sign-ins.

Microsoft said the policy change is in line with its current focus on enhancing digital security and complements its planned $20 billion in security spending over the next five years. The specific goal with requiring MFA is "to reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization," the company said.

A security team at Microsoft released a report earlier in the year that found implementation of MFA can block 99.2% of all account compromise attacks, hence the push for requiring it in all Azure logins.

Microsoft said it plans to start rolling out the requirement in two phases. Beginning in October, MFA will be required for signing in to the Azure portal, Microsoft Entra admin center, and Intune admin center. This enforcement will gradually extend to all tenants worldwide, though it will not impact other Azure clients, such as Azure Command Line Interface (CLI), Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools. Next, in early 2025, MFA enforcement will expand to include sign-ins for Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools.

To prepare for the new policy, Microsoft has started issuing 60-day advance notice to all Entra global admins via e-mail and Azure Service Health Notifications. Additional alerts will be provided through the Azure portal, Entra admin center, and the Microsoft 365 message center. Here's how users can enable MFA:

  • Microsoft Authenticator allows users to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes. Augment or replace passwords with two-step verification and boost the security of your accounts from your mobile device.
  • FIDO2 security keys provide access by signing in without a username or password using an external USB, near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards in place of a password.
  • Certificate-based authentication enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC). Authenticate using X.509 certificates on smart cards or devices directly against Microsoft Entra ID for browser and application sign-in.
  • Passkeys allow for phishing-resistant authentication using Microsoft Authenticator.
  • Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval as described in this documentation.

For more information, read the Microsoft blog post.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • a stylized magnifying glass and a neural network pattern with interconnected nodes, symbolizing search and AI processes

    OpenAI Launching AI-Powered Search Engine

    OpenAI has unveiled SearchGPT, a new AI-powered search engine designed to access information from across the internet in real time. The much-anticipated prototype will provide more organized and meaningful search results by summarizing and contextualizing information rather than returning lists of links.

  • Abstract geometric pattern with interconnected nodes and lines

    Microsoft 365 Copilot Updates Offer Expanded AI Capabilities, Collaboration Tools

    Microsoft has announced updates to its Microsoft 365 Copilot AI assistant, including expanded AI capabilities in individual apps, the ability to create autonomous agents, and a new AI-powered collaboration workspace.

  • Google Adds AI Video Creator to Workspace Labs

    Google has added a new AI-powered video creation service as part of its Workspace Labs program, where users can try out new AI features.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.