Microsoft make MFA mandatory in Azure: User implications and actions

Microsoft’s recent mandate requiring MFA for all Azure users is a significant step forward in the continual drive for greater cloud security.

The policy change is designed to further safeguard the vast volumes of sensitive data hosted on the Azure platform.

More broadly, it’s part of Microsoft’s initiatives to increase identity and data security across its entire estate in the face of increasingly sophisticated threats and an all-time high in criminal and nation state cyber activity.

What this means for Azure users

Applying MFA across the board will, in time, have an impact on the way users sign into their Azure accounts, be that via the Azure portal, Command-Line Interface (CLI), or PowerShell.

However, mindful of overly disrupting its users, the roll-out will be a phased approach through 2024 and early 2025, as follows:

• Phase 1 (from July 2024): Gradual roll-out to tenants of MFA enforcement at sign-in for Azure portal only. Other Azure clients, such as Azure CLI, Azure PowerShell and IaC tools won’t be affected.
• Phase 2 (Early 2025 – date to be announced): Gradual roll-out of MFA enforcement to all tenants for Azure CLI, PowerShell, and IaC tools.

Notifications will be sent to global administrators 60 days before the enforcement date, with periodic reminders sent out up the day of the change.

Strategic impact and proactive implementation

Microsoft have confirmed that there will be scope for a grace period for those with more complex environments. However, it’s crucial to understand that MFA will become mandatory for all users performing administrative tasks within the Azure environment.

This includes actions such as creating, reading, updating, and deleting (CRUD) resources.

The policy change aligns with Microsoft’s Secure Future Initiative and a commitment to improve cloud security standards across its user base. It also reinforces the importance MFA has in enabling Zero Trust principles by improving breach mitigation, safeguarding data integrity, and driving greater trust in cloud computing.

Therefore, to avoid disruptions and ensure seamless compliance, users are encouraged to activate MFA as soon as possible.

What actions will you need to take?

We recommend Azure users transition to MFA using Microsoft Entra ID, which supports a variety of authentication methods.

Such as:

• Microsoft Authenticator app: Offers verification through a simple approval notification sent to your mobile device.
• SMS and voice calls: Send a verification code to your mobile device as an additional layer of security.
• Hardware tokens: Physical devices that generate a security code and can be used as part of the authentication process.

Beyond these methods, Entra ID allows administrators to configure conditional access policies.

These policies can tailor the MFA requirements based on specific scenarios, such as user location, device compliance status, or the sensitivity of the accessed data. Enhancing the flexibility and security of Azure environments.

To ensure a smooth transition to MFA, consider the following steps:

• Identify Impacted Users: Use PowerShell commands and the Multifactor Authentication Gaps workbook to identify users who need to transition to MFA.
• Set Up MFA: Implement MFA for all relevant user accounts using the MFA wizard available in Microsoft Entra.
• Migrate Automation Accounts: Transition user identities used in automation to managed identities or service principals.
• Review Break Glass Accounts: Update break glass or “emergency access” accounts to use FIDO2 or certificate-based authentication, both of which will satisfy the MFA requirement.

Why MFA is critical for your security posture

The prevalence of weak passwords remains a significant security risk.

Even with complex passwords, cyber criminals have developed sophisticated methods to breach accounts. Implementing MFA offers a powerful method of protection and significantly reduces the likelihood of unauthorised access.

In fact, given the advanced nature of modern cyber threats, MFA really is no longer a recommendation but a necessity. This is the motivation behind Microsoft’s revised policy to ensure that only authenticated users can access critical resources.

While we appreciate that this might cause some additional work for organisations, this move is for long-term safeguarding of your organisation’s cloud environment.

If you’d like more information or to discuss how to get MFA implemented across your estate, please contact the team today.

Key takeaways