Microsoft Details Phased Mandatory MFA Rollout For Azure Users

'Nothing is safe anymore. The more layers of protection we can have, the better I sleep,’ Randy Jorgensen, managing member of South Jordan, Utah-based RJNetworks, tells CRN.

Microsoft will take a phased approach to its requirement that all Azure users adopt multi-factor authentication, starting with Azure portal, Microsoft Entra administration center and Intune admin center users adopting MFA for sign-in by October – with an option to delay enforcement to March for particularly complex cases.

A second phase will start “in early 2025” for Azure Command Line Interface (CLI), PowerShell, Azure mobile app and Infrastructure as Code (IaC), according to Microsoft.

Mandatory MFA for all Azure sign-ins is part of Microsoft’s $20 billion investment in security over the next five years, the Redmond, Wash.-based tech giant said in an online post. The goal is reducing “the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization.”

“Ensuring Azure accounts are protected with securely managed, phishing-resistant multifactor authentication is a key action we are taking,” according to the post.

[RELATED: 5 Things To Know On Okta’s New MFA Requirements]

Microsoft MFA Mandate

CRN has reached out to Microsoft for comment.

Randy Jorgensen, managing member of South Jordan, Utah-based RJNetworks, told CRN in an interview that he pushes for MFA everywhere he can with customers.

One of the usual reasons customers don’t employ MFA is the extra steps, Jorgensen said. But MF “is essential in this day and age.”

“Nothing is safe anymore,” he said. “The more layers of protection we can have, the better I sleep.”

Kelly Yeh, president of Chantilly, Va.-based Phalanx Technology Group, told CRN in an interview that the Microsoft solution provider makes sure everything is locked with MFA and even adds password managers to make sure passwords are complex enough and not reused.

Yeh also credited complacency with why customers still don’t enable MFA, prioritizing other items on the to-do list.

“If you haven’t suffered a recent attack, you don’t really feel any urgency,” he said. “It falls down the list of action items. I see it all the time.”

Customers “don’t see how much of a time suck mitigating an attack is,” he said.

Phased Rollout Starts In October

Microsoft described the October rollout to Azure portal, Entra admin center and Intune admin center as a gradual one to all tenants worldwide.

The rollout should not affect Azure CLI, PowerShell, Azure mobile app, infrastructure-as-code (IaC) tools and other Azure clients, according to Microsoft.

All Entra global administrators will receive 60-day notices by email and through Azure Service Health Notifications providing enforcement start date and actions the admins need to take.

Microsoft will send additional notifications through Azure portal, Entra admin center and Microsoft 365 message center.

Bill DeForeest, principal product manager for Microsoft Azure Compute, told Cloud Solution Provider (CSP) partners on the August technical training called Azure and other Microsoft properties “high value targets for threat actors.”

He put the phase one start date on Oct. 15 and the phase two rollout as “most likely January.”

Many third-party MFA tools are in compliance, DeForeest said. However, “legacy custom control approach” tools might not meet the requirements.

DeForeest detailed Microsoft’s postponement policy for users “who have really not started this journey yet, despite our encouragement to do so, and so that now means that they have potentially a lot of work to do.”

Users can request enforcement start date postponement until March 15, he said.

“We recognize that this is a potentially large change,” he said. “This will give folks extra time to either discuss with Microsoft if you have particular technical concerns, or you just need more time to roll out your own MFA enforcement.”

DeForeest told partners on the call that Microsoft mandates under its terms of service for customers “to control access to products.”

“Microsoft has traditionally been pretty accommodating about this,” DeForeest said. “That may not be true once we get through the MFA enrollment process. That may not be as true for anyone who is not coming into compliance.”

Azure CLI, PowerShell, mobile app and IaC tools users who don’t use interactive logins “will be required to start using workload identities” such as service principals and managed identities, he said. Entra user identities and “break glass” emergency accounts will need to use MFA.

Azure-hosted apps and services end users will not be affected by the new requirements, he said.

Secure Future Initiative

MFA blocks more than 99.2 percent of account compromise attacks, Microsoft said in a blog post announcing the mandate. Enabling MFA will also bring organizations into compliance with Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), National Institute of Standards and Technology (NIST) and other security standards and regulations.

Ways to use MFA through Entra – formerly known as Active Directory – include:

• The Microsoft Authenticator mobile app
• Fast Identity Online 2 (FIDO2) security keys external USBs and external security keys
• Personal identity verification (PIV), common access cards (CACs) and other certificate-based authentication
• And text message or voice approval, although Microsoft calls this “the least secure version of MFA”

In the post announcing mandated MFA, Microsoft detailed other actions meant to meet its Secure Future Initiative (SFI).

Those actions include:

• Protecting identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection
• Examples of that include hardware security module (HSM) and confidential compute
• Strengthening identity standards and driving their adoption through use of standard software development kits (SDKs) across all applications
• Making sure that all apps have managed identity, managed certificates and other system-managed credentials
• Making all identity tokens protected with stateful and durable validation
• Adopting more fine-grained partitioning of identity signing keys and platform keys
• Advancing identity and public key infrastructure (PKI) systems for post-quantum cryptography

Microsoft is not alone in strengthening requirements for MFA amid constant activity from threat actors, with identity access rival Okta and cloud rival Amazon Web Services (AWS) among the vendors making changes.

In January, Microsoft blamed a lack of MFA on a legacy account for a Russia-aligned threat actor recently stealing emails from members of Microsoft’s senior leadership team as well as from employees on its cybersecurity and legal teams.

In November, Microsoft said that it plans to “enable customers with more secure default settings for Multi-Factor Authentication (MFA) out-of-the-box,” an effort taking place “over the next year.”