Announcing Mandatory Multi-Factor Authentication for Azure sign-in

 

Security is more critical now than ever in our digital world. With the growing scope of cyber threats, it's every organization's bounden duty to take a stride forward in securing its data and systems from such adversaries. Microsoft is further strengthening the security around user accounts and sensitive information by enforcing Multi-Factor Authentication (MFA) on all sign-ins to its Azure cloud. This move is meant to provide an added layer of security against unauthorized access, possibly resulting in breaches.

What is MFA (Multi Factor Authentication)?

Multi-Factor Authentication is a security procedure implemented that requires users to confirm their claims of identity with the use of different factors for account log-in. Generally, MFA may use something you know, something you have, and something you are. The three most common factors are:

• Something you know: a password or PIN
• Something you have: typically, a mobile device or security token
• Something you are: such as fingerprints or facial recognition.

This increases the number of authentication factors needed, which greatly reduces the likelihood of unauthorized access, even if a user's password is leaked.

But why is MFA Becoming a Requirement for Azure Sign-In?

Organizations move their business-critical workloads and data to the cloud. In securing such environments, password-based security is not enough anymore to protect critical workloads against modern threats such as phishing, credential stuffing, or brute force attacks.

Organizations took this step to ensure that the use of MFA for Azure sign-ins becomes a mandate. It forms a part of their comprehensive strategy to heighten security measures for their cloud services. Having MFA in place ensures that access to Azure resources considers only authenticated users so that security risks resulting from account compromise and unauthorized access stay low.

Key Benefits

Advanced Security: MFA provides an added layer of security that significantly spikes the difficulty for an attacker to enter your Azure environment.

Reduced Risk of Breach: If an attacker manages to snag a user's password, with MFA enabled, the attacker will not be able to log in without a second authentication factor.

Security Standard Compliance: MFA is a must-have for a large number of industry compliance and standards for reaching sensitive systems and their data. A mechanism that ensures mandatory MFA is a way of coming compliance for many organizations.

Enhances User Awareness: With the enforcement of MFA, the level of user awareness for the security of accounts is definitely on the rise.

MFA for Azure Sign-In

Microsoft has built this functionality into ways that make it relatively easy for the majority of organizations to turn on and control MFA for users. 

There are a few ways one can use in deploying MFA on Entra ID:

• The built-in feature of Entra ID MFA allows administrators to enforce MFA for all their users, a group of users, or specific users.
• With conditional access policies, administrators can also create adaptive policies based upon different conditions that can require MFA for specific scenarios or accessing critical applications from untrustworthy locations.
• Third-Party MFA Providers: A third-party MFA solution can be integrated with the Entra ID solution to provide flexibility.

To enable MFA in your Azure setup, log into the Entra ID portal to turn it on for the user group you wish to enable MFA on. It is, however, advisable to first set up and try out MFA policies before deployment to the users.

 Preparing for the Change

Required MFA for all Azure users will be rolled out in phases starting in the 2nd half of calendar year 2024 to provide our customers time to plan their implementation: 

Phase 1: Starting in October, MFA will be required to sign-in to Azure portal, Microsoft Entra admin center. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools. 

Phase 2: Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.

Microsoft will send a 60-day advance notice to all Entra global admins by email and through Azure Service Health Notifications to notify the start date of enforcement and actions required. Additional notifications will be sent through the Azure portal, Entra admin center, and the M365 message center.

Note: For customers who need additional time to prepare for mandatory Azure MFA, Microsoft will review extended timeframes for customers with complex environments or technical barriers.

Conclusion

Making MFA mandatory for your Azure sign-ins is a critical effort towards a secure cloud environment and the evolving threats it has. Enforcement of MFA largely upgrades the security posture of organizations, hence upholding the sensitivity of the data and ensuring that the Azure resource is accessible by legitimate users only. Now is the time that you take your organization through that important change to really take advantage of the security benefits that MFA has to offer.