Microsoft Azure recently announced a change in their MFA (multifactor authentication) requirements. This change means many MFA configurations will no longer be acceptable for the platform. In this blog, we’ll share what you need to know along with how you can ensure your MFA meets the new requirements.
Why Microsoft is changing its Azure MFA requirements?
Microsoft has made significant investments in its security posture. Creating more rigorous standards around Azure sign-on is one of them. Over the next five years, they’ve committed to improving their security as well as holding users to a higher standard, requiring that certain cybersecurity best practices be met in order to use services like Azure.
This is part of Microsoft’s Secure Future Initiative, which aims to help minimize unauthorized access and identity compromise. Earlier this year, they rolled out Conditional Access Policies to help create comprehensive, secure access across their toolset.
In addition to Microsoft’s own security posture, the changes align with various regulatory compliance standards (like GDPR, HIPAA, etc.). Organizations can be assured that moving forward with these new requirements also support compliance efforts.
When will Azure’s MFA requirements change?
Microsoft is using a phased approach with this, beginning in October of 2024 and continuing into 2025. The first phase will consist of requiring strong forms of MFA to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center. This change goes into effect on October 15th, 2024. The second phase slated for 2025 includes gradual mandatory MFA for its Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.
How can we prepare for the new Azure MFA requirements?
Administrators may already have received communications from Microsoft about this. Microsoft started pushing out notifications to Entra global admins this month, and will continue to communicate with administrators through the Azure portal, Entra admin center, and the M365 message center as the deadlines approach.
While you may have MFA in place, you’ll still need to evaluate whether it meets the criteria for Azure’s new requirements. External, third-party MFA solutions are still supported and can be eligible if they are configured to the specifications required by Microsoft. There are also native options available leveraging Microsoft Authenticator.
ADNET’s recommendation
Preparation is key. Even with a few months lead time, you’ll want to start evaluating your options now.
Here’s what you can do to make sure your business is prepared:
If you have MFA already…
- Review your existing MFA solution. Talk to your IT partner about your existing MFA solution and if it checks the box. If you have fully managed IT services or an Azure partner, they may do this proactively.
- Discuss alternatives for securely accessing your Azure environment and tools.
- Consider your legacy applications. If you have older applications that rely on Microsoft for Single Sign-on (SSO) or general authentication, they may not be compatible with the newer MFA requirements.
If you don’t have MFA…
You need it! MFA is one of the leading ways to protect your organization from cybersecurity threats. It can help restrict access and ensure your company is secure, regardless of where your team is working from. It can also help combat attack techniques like business email compromise (BEC) by requiring an extra layer of security before someone can access your business’s communication tools.
If you have concerns about the MFA deadline, extensions can be requested. Our recommendation is still to prepare for this as soon as possible. There’s no guarantee that you’ll be granted an extension, and you’ll have to make the changes at some point anyway – so it’s best to get ahead of things.
Your IT partner can help you navigate this change. If you have questions about Azure or MFA, reach out to us – we’re happy to help.