Microsoft to enforce MFA for Azure resource management in October

Starting in October, Microsoft will enforce multi-factor authentication (MFA) for all Azure resource management actions to protect Azure clients from unauthorized access attempts.

This change is part of the company’s Secure Future Initiative (SFI), will be applied gradually across tenants worldwide, and it requires users to enable MFA on Azure CLI, PowerShell, SDKs, and APIs to ensure that their accounts are protected against attacks.

To avoid compatibility issues, users are also advised to upgrade Azure CLI to version 2.76 or later and Azure PowerShell to version 14.3 or later.

Global administrators who need more time to become compliant can postpone the enforcement date until July 2026.

“Starting October 1, 2025, MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation,” Microsoft explains on its support site.

“Enforcement applies to all Azure tenants in the public cloud and all users. This includes automation and scripts using user identities (instead of application IDs),” the company added in a Microsoft 365 Message Center update.

One year ago, in August 2024, Microsoft also warned Entra global admins to enable MFA for their tenants by October 15, 2024, to ensure users don’t lose access to admin portals.

Admins can monitor who registered for MFA using the authentication methods registration report or this PowerShell script to get a quick report across the entire user base.

This also follows a May 2024 announcement that MFA will be enforced for all users signing into Azure to administer resources, and a November announcement regarding the rollout of Conditional Access policies requiring MFA for all admins signing into Microsoft admin portals, for users on all cloud apps, and for high-risk sign-ins.

According to a Microsoft study, 99.99% of MFA-enabled accounts resist hacking attempts, and MFA helps reduce the risk of compromise by 98.56%, even when attackers use stolen credentials to breach accounts.

Microsoft-owned GitHub has also started enforcing two-factor authentication (2FA) for all active developers in January 2024 as part of the same effort to boost MFA adoption.