Learn how MFA can protect your data and identity, and get ready for the upcoming MFA requirement for Azure.
Learn how multifactor authentication (MFA) can protect your data and identity and get ready for Azure’s upcoming MFA requirement.
As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical. As part of Microsoft’s $20 billion dollar investment in securityover the next five years and our commitment to enhancing security in our services in 2024, we are introducing mandatory multifactor authentication (MFA) for all Azure sign-ins.
The need for enhanced security
One of the pillars of Microsoft’sSecure Future Initiative (SFI)is dedicated to protecting identities and secrets—we want to reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization. As part of this important priority, we are taking the following actions:
- Protect identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection (for example, hardware security module (HSM) and confidential compute).
- Strengthen identity standards and drive their adoption through use of standard SDKs across 100% of applications.
- Ensure 100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication.
- Ensure 100% of applications are protected with system-managed credentials (for example, Managed Identity and Managed Certificates).
- Ensure 100% of identity tokens are protected with stateful and durable validation.
- Adopt more fine-grained partitioning of identity signing keys and platform keys.
- Ensure identity and public key infrastructure (PKI) systems are ready for a post-quantum cryptography world.
Ensuring Azure accounts are protected with securely managed, phishing-resistant multifactor authentication is a key action we are taking. As recent research by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future.
In May 2024, we talked about implementing automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft, including tenants for development, testing, demos, and production. We are extending this best practice of enforcing MFA to our customers by making it required to access Azure. In doing so, we will not only reduce the risk of account compromise and data breach for our customers, but also help organizations comply with several security standards and regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and National Institute of Standards and Technology (NIST).
Preparing for mandatory Azure MFA
Required MFA for all Azure users will be rolled out in phases starting in the 2nd half of calendar year 2024 to provide our customers time to plan their implementation:
- Phase 1: Starting in October, MFA will be required to sign-in toAzure portal,Microsoft Entra admin center,andIntune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools.
- Phase 2: Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell,Azure mobile app, and Infrastructure as Code (IaC) tools will commence.
Beginning today, Microsoft will send a 60-day advance notice to all Entra global admins by emailand throughAzure Service Health Notificationsto notify the start date of enforcement and actions required. Additional notifications will be sent through the Azure portal, Entra admin center, and theM365 message center.
For customers who need additional time to prepare for mandatory Azure MFA, Microsoft will review extended timeframes for customers with complex environments or technical barriers.
How to use Microsoft Entra for flexible MFA
Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:
- Microsoft Authenticator allows users to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes. Augment or replace passwords with two-step verification and boost the security of your accounts from your mobile device.
- FIDO2 security keys provide access by signing in without a username or password using an external USB, near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards in place of a password.
- Certificate-based authentication enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC). Authenticate using X.509 certificates on smart cards or devices directly against Microsoft Entra ID for browser and application sign-in.
- Passkeys allow for phishing-resistant authentication using Microsoft Authenticator.
- Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval as described inthis documentation.
External multifactor authentication solutions and federated identity providers will continue to be supported and will meet the MFA requirement if they are configured to send an MFA claim.
Moving forward
At Microsoft, your security is our top priority. By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats. We appreciate your cooperation and commitment to enhancing the security of your Azure resources.
Our goal is to deliver a low-friction experience for legitimate customers while ensuring robust security measures are in place. We encourage all customers to begin planning for compliance as soon as possible to avoid any business interruptions.
Start today! For additional details on implementation, impacted accounts and next steps for you, please refer to thisblog post on Microsoft Tech Community.
