Microsoft has announced a phased rollout of mandatory Multi-Factor Authentication (MFA) for all Azure sign-ins, starting in October as part of their Secure Future Initiative.

Description

The initiative [2] [3] [5] [6], a $20 billion investment in security [2] [3] [7], aims to protect user data and identity in response to increasing cyberattacks [2]. The MFA requirement includes various authentication methods such as push notifications [4], biometrics [4] [9], FIDO2 security keys [3] [4] [6], certificate-based authentication [1] [3] [4] [6], passkeys [1] [3] [4] [6], and SMS or voice approval [3] [4]. External MFA solutions and federated identity providers will also be supported [3] [4]. The new mandate will require MFA for signing in to Azure portal [2], Microsoft Entra admin center [1] [2] [5] [7] [8], and Intune admin center [2] [5] [7] [8], with enforcement beginning in the second half of 2024 and full enforcement by early 2025. Microsoft’s goal is to reduce the risk of account compromise and data breaches [2], while also helping organizations comply with security standards and regulations [2]. Research shows that MFA can block over 99.2% of account compromise attacks [2] [7] [9], making it a key component of their security strategy [2]. Microsoft aims to enhance security and comply with various security standards and regulations [3], providing robust security measures while delivering a low-friction experience for legitimate customers [3]. The requirement will affect users performing CRUD operations on these applications [1], while end users accessing applications hosted on Azure without signing into the listed applications will not be required to use MFA [1]. Workload identities are exempt from this enforcement [1], but emergency access accounts must comply with MFA [1], with Microsoft recommending passkey (FIDO2) or certificate-based authentication for these accounts [1]. Administrators are encouraged to prepare by setting up MFA for all users accessing admin portals and Azure clients [1], utilizing Conditional Access policies and security defaults [1], and taking advantage of the grace period offered by Microsoft [1]. Despite the flexibility [1], Microsoft emphasizes the importance of implementing MFA promptly to safeguard cloud resources [1]. The requirement will also apply to services accessed through the Intune admin center [5], such as Windows 365 Cloud PC [5]. Admins are encouraged to enable MFA before October 15, 2024 [5], to ensure access to these portals [5]. Postponement of the enforcement date is possible [5], but enabling MFA is recommended for increased security [5]. More information can be found in the blog posts and documentation updates provided by Microsoft [5]. Various MFA options are available for Microsoft Entra users [9], including Microsoft Authenticator with biometrics and one-time passcodes [9]. Critical keys will be protected using hardware security modules and confidential computing [9], with automatic key rotation to prevent unauthorized access [9]. MFA methods will be resilient against phishing attacks to protect user accounts and help businesses comply with industry standards like GDPR and NIST [9]. MFA will be implemented in phases [9], with the initial phase starting in October 2024 for key administrative portals [9], followed by a second phase extending MFA requirements to additional Azure clients and tools [9]. Global admins will receive a 60-day notice from Microsoft to prepare for the change [7].

Conclusion

The phased rollout of mandatory Multi-Factor Authentication by Microsoft will have significant impacts on user authentication and security measures. Organizations are encouraged to comply with the new mandate to reduce the risk of account compromise and data breaches. By implementing MFA promptly [1], businesses can safeguard their cloud resources and ensure compliance with industry standards and regulations. Admins should take advantage of the grace period offered by Microsoft to prepare for the enforcement of MFA requirements. Overall, the initiative aims to enhance security and protect user data in response to the growing threat of cyberattacks.

References

[1] https://cybersecuritynews.com/multifactor-authentication-is-mandatory-for-azure/
[2] https://www.forbes.com/sites/daveywinder/2024/08/17/microsoft-issues-mandatory-2fa-login-deadline-alert/
[3] https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/
[4] https://www.infosecurity-magazine.com/news/microsoft-mandates-mfa-azure/
[5] https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-enforcement-of-multifactor-authentication-for-intune/ba-p/4220014
[6] https://thejournal.com/Articles/2024/08/16/Mandatory-Multifactor-Authentication-Coming-to-Azure.aspx?admgarea=News1
[7] https://www.inkl.com/news/microsoft-mandates-2fa-for-azure-admins-to-enhance-security
[8] https://www.neowin.net/news/microsoft-azure-will-start-pushing-mandatory-multi-factor-authentication-from-october/
[9] https://www.biometricupdate.com/202408/microsoft-makes-mfa-mandatory-for-azure-sign-ins