Announcing mandatory multi-factor authentication for Azure sign-in

Learn how MFA can protect your data and identity, and get ready for the upcoming MFA requirement for Azure.

Learn how multifactor authentication (MFA) can protect your data and identity and get ready for Azure’s upcoming MFA requirement.

As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical. As part of Microsoft’s $20 billion dollar investment in securityover the next five years and our commitment to enhancing security in our services in 2024, we are introducing mandatory multifactor authentication (MFA) for all Azure sign-ins.

The need for enhanced security

One of the pillars of Microsoft’sSecure Future Initiative (SFI)is dedicated to protecting identities and secrets—we want to reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization. As part of this important priority, we are taking the following actions:

Protect identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection (for example, hardware security module (HSM) and confidential compute).
Strengthen identity standards and drive their adoption through use of standard SDKs across 100% of applications.
Ensure 100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication.
Ensure 100% of applications are protected with system-managed credentials (for example, Managed Identity and Managed Certificates).
Ensure 100% of identity tokens are protected with stateful and durable validation.
Adopt more fine-grained partitioning of identity signing keys and platform keys.
Ensure identity and public key infrastructure (PKI) systems are ready for a post-quantum cryptography world.

Ensuring Azure accounts are protected with securely managed, phishing-resistant multifactor authentication is a key action we are taking. As recent research by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future.

In May 2024, we talked about implementing automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft, including tenants for development, testing, demos, and production. We are extending this best practice of enforcing MFA to our customers by making it required to access Azure. In doing so, we will not only reduce the risk of account compromise and data breach for our customers, but also help organizations comply with several security standards and regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and National Institute of Standards and Technology (NIST).

Preparing for mandatory Azure MFA

Required MFA for all Azure users will be rolled out in phases starting in the 2^nd half of calendar year 2024 to provide our customers time to plan their implementation:

Phase 1: Starting in October, MFA will be required to sign-in toAzure portal,Microsoft Entra admin center,andIntune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools.
Phase 2: Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell,Azure mobile app, and Infrastructure as Code (IaC) tools will commence.

Beginning today, Microsoft will send a 60-day advance notice to all Entra global admins by emailand throughAzure Service Health Notificationsto notify the start date of enforcement and actions required. Additional notifications will be sent through the Azure portal, Entra admin center, and theM365 message center.

For customers who need additional time to prepare for mandatory Azure MFA, Microsoft will review extended timeframes for customers with complex environments or technical barriers.

How to use Microsoft Entra for flexible MFA

Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:

Microsoft Authenticator allows users to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes. Augment or replace passwords with two-step verification and boost the security of your accounts from your mobile device.
FIDO2 security keys provide access by signing in without a username or password using an external USB, near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards in place of a password.
Certificate-based authentication enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC). Authenticate using X.509 certificates on smart cards or devices directly against Microsoft Entra ID for browser and application sign-in.
Passkeys allow for phishing-resistant authentication using Microsoft Authenticator.
Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval as described inthis documentation.

External multifactor authentication solutions and federated identity providers will continue to be supported and will meet the MFA requirement if they are configured to send an MFA claim.

Moving forward

At Microsoft, your security is our top priority. By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats. We appreciate your cooperation and commitment to enhancing the security of your Azure resources.

Our goal is to deliver a low-friction experience for legitimate customers while ensuring robust security measures are in place. We encourage all customers to begin planning for compliance as soon as possible to avoid any business interruptions.

Start today! For additional details on implementation, impacted accounts, and next steps for you, please refer tothis documentation.

FAQs

Announcing mandatory multi-factor authentication for Azure sign-in | Microsoft Azure Blog? ›

Required MFA for all Azure users will be rolled out in phases starting in the 2^nd half of calendar year 2024 to provide our customers time to plan their implementation: Phase 1: Starting in October, MFA will be required to sign-in to Azure portal, Microsoft Entra

Microsoft Entra

Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) solution that enables you to sign up and sign in your customers into your apps and APIs. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications.

https://learn.microsoft.com › en-us › azure

Azure Active Directory B2C documentation | Microsoft Learn

admin center, and Intune admin center.

Learn More Now ›

How do I enforce multi-factor authentication in Azure? ›

Policy configuration

Sign in to the Microsoft Entra admin center as at least a Security Administrator.
Select Protection > Identity Protection > MFA registration policy.
Under Assignments > Users: ...
Select Enforce Policy - On.
Select Save.

Jul 16, 2024

Get More Info Here ›

Is Microsoft MFA mandatory? ›

In response to increasing controversy around its cybersecurity practices, Microsoft has decided to implement mandatory multi-factor authentication (MFA) for all Azure users, aiming to enhance security and address concerns raised by the cybersecurity community.

What is Microsoft Azure multi-factor authentication? ›

How does MFA work in Microsoft Entra? MFA works in Microsoft Entra by requiring two or more of the following authentication methods: A password. A trusted device that's not easily duplicated, such as a phone or hardware key. Biometrics such as a fingerprint or face scan.

Explore More ›

How do I enable MFA for Azure login? ›

You can do this by following these steps: In the Azure portal, go to the "Azure Active Directory" service. Select "Users" from the navigation menu. Select the user you want to enable MFA for and click on "Enable multi-factor auth"

Show Me More ›

How to check if MFA is enabled in Azure? ›

1. How to check if MFA is enabled from the Azure Portal

Sign in to the Azure portal as a Global administrator.
Search for and select Azure Active Directory, then select Users > All users.
Select Per-user MFA.
A new page opens that displays the user state, as shown in the following example.

Oct 3, 2023

Learn More Now ›

How do I force MFA re registration in Azure AD? ›

Sign in to the Azure portal. On the left, select Azure Active Directory > Users > All users. Choose your account->select Authentication methods and click "Require re-registration for MFA".

Discover More Details ›

Is MFA required for every login? ›

Admins will always be prompted for MFA on login. Users will be prompted for MFA "when necessary" (this is not strictly defined by Microsoft but includes when users show up on a new device or app, and for critical roles and tasks). Access to Azure portal, Azure CLI or Azure PowerShell by anyone will always require MFA.

Read On ›

Will Microsoft require MFA for all Azure users? ›

Required MFA for all Azure users will be rolled out in phases starting in the 2^nd half of calendar year 2024 to provide our customers time to plan their implementation: Phase 1: Starting in October, MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center.

Is Microsoft forcing MFA 2024? ›

Enforcement for the MFA requirement at Azure sign-in will be rolled out in phases: Phase 1: Starting in July 2024, enforcement for MFA at sign-in for Azure portal only will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI, Azure PowerShell and IaC tools.

Show Me More ›

What is the Azure role for multi-factor authentication? ›

To enable MFA on Azure AD, you need to have roles like Global Administrator or Security Administrator or Conditional Access Administrator on your Azure AD tenant. Make sure to acquire Azure AD Premium P1 license if you want to use conditional access policies for enabling MFA.

See Details ›

What are the two valid methods for Azure MFA? ›

Two valid methods for Azure Multi-Factor Authentication (MFA) are picture identication and a passport number. Azure Multi-Factor Authentication (MFA) can be required for administrative and non-administrative user accounts.

How to enforce MFA in Azure? ›

Policy configuration

Sign in to the Microsoft Entra admin center as at least a Security Administrator.
Browse to Protection > Identity Protection > Multifactor authentication registration policy. Under Assignments > Users. ...
Set Policy enforcement to Enabled.
Select Save.

May 6, 2024

Learn More ›

What is meant by multi-factor authentication? ›

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

Know More ›

How to disable MFA for a user in Azure? ›

Disable MFA in Microsoft Azure AD

Open the Microsoft 365 Admin Center.
In the left side navigation, click Azure Active Directory admin center.
In the left side navigation, click Azure Active Directory.
Click Properties.
Click Manage Security Defaults.
Select No to Disable Security defaults.

Read On ›

How do I force an IAM user to use MFA? ›

To configure MFA device enforcement for your users

Open the IAM Identity Center console .
In the left navigation pane, choose Settings.
On the Settings page, choose the Authentication tab.
In the Multi-factor authentication section, choose Configure.

More items...

Announcing mandatory multi-factor authentication for Azure sign-in | Microsoft Azure Blog (2024)