Microsoft announces mandatory multi-factor authentication (MFA/2FA) for more secure Azure sign-ins

Microsoft has announced the implementation of mandatory multi-factor authentication (MFA) for all Azure sign-ins. This initiative is part of Microsoft’s $20 billion investment in security over the next five years and aims to protect identities and secrets by enforcing best-in-class standards across all identity and secrets infrastructure, user and application authentication, and authorization.

Cyberattacks are becoming increasingly frequent, sophisticated, and damaging, making it critical to safeguard digital assets. Microsoft’s Secure Future Initiative (SFI) is dedicated to protecting identities and secrets by implementing and enforcing robust security measures. The mandatory MFA for Azure sign-ins is a key action in this initiative, designed to reduce the risk of unauthorized access and data breaches.

Preparing for mandatory multi-factor authentication (MFA) for Azure sign-ins

The rollout of mandatory MFA for Azure users will be phased, starting in the second half of 2024.

• Phase 1, beginning in October, will require MFA for sign-ins to the Azure portal, Microsoft Entra admin center, and Intune admin center.
• Phase 2, starting in early 2025, will extend MFA enforcement to Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

How to use Microsoft Entra for flexible MFA

Organizations can enable users to utilize MFA through Microsoft Entra in multiple ways:

• Microsoft Authenticator: Allows users to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes.
• FIDO2 Security Keys: Provide access by signing in without a username or password using an external USB, NFC, or other external security key.
• Certificate-based authentication: Enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC).
• Passkeys: Allow for phishing-resistant authentication using Microsoft Authenticator.
• SMS or voice approval: The least secure version of MFA, which can also be used as described in the documentation.

Looking ahead

Microsoft emphasizes that security is their top priority and encourages all customers to begin planning for compliance as soon as possible to avoid any business interruptions. The goal is to deliver a low-friction experience for legitimate customers while ensuring robust security measures are in place.

The implementation of mandatory MFA for Azure sign-ins is a significant step towards enhancing security and protecting against cyber threats. By enforcing MFA, Microsoft aims to reduce the risk of account compromise and data breaches, helping organizations comply with various security standards and regulations. Users are encouraged to start planning for compliance to ensure a seamless transition to this more secure environment.