Microsoft warned Entra global admins on Thursday to enable multi-factor authentication (MFA) for their tenants until October 15 to ensure users don’t lose access to admin portals.
This is part of Redmond’s recently announced Secure Future Initiative (SFI) and it aims to ensure that Azure accounts are protected against phishing and hijacking attempts by enforcing mandatory MFA for all Azure sign-in attempts.
Admins needing more time to prepare for the MFA requirement can postpone the enforcement date for each tenant until April 15, 2025, between August 15 and October 15.
However, “by postponing the start date of enforcement, you take extra risk because accounts that access Microsoft services like the Azure portal are highly valuable targets for threat actors,” Redmond warned. “We recommend all tenants set up MFA now to secure cloud resources.”
Microsoft has sent 60-day advance notices to all Entra global admins via email and Azure Service Health Notifications to remind them of the enforcement start date and the actions they must take until October.
If MFA is not enabled and there is no request to delay enforcement until October, users will be required to set up MFA before when signing into administration portals (i.e., Entra and Intune admin centers and the Azure portal) to perform Create, Read, Update, or Delete (CRUD) operations.
MFA will also be required when trying to access any services accessed through the Intune admin center, such as Windows 365 Cloud PC.
In early 2025, Microsoft will also start enforcing MFA for Azure sign-ins for those who want to access Azure PowerShell, CLI, mobile app, and Infrastructure as Code (IaC) tools.
”Starting in October, MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide,” said Principal Product Manager Naj Shahid and Azure Compute Principal Product Manager Bill DeForeest.
“Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence. ”
Admins can monitor who registered for MFA in their tenants using the authentication methods registration report or this PowerShell script to get a quick report of the MFA state across the entire user base.
This week’s reminder follows a May announcement that MFA will be enforced for all users signing into Azure to administer resources in July and a November announcement regarding the roll-out of Conditional Access policies requiring MFA for all admins signing into Microsoft admin portals (e.g., Entra, Microsoft 365, Exchange, and Azure), for users on all cloud apps, and high-risk sign-ins.
A Microsoft study found that MFA provides strong protection for user accounts against cyberattacks as it allows 99.99% of MFA-enabled accounts to resist hacking attempts and reduces the risk of compromise by 98.56%, even when attackers attempt to breach accounts using stolen credentials.
“Our goal is 100 percent multi-factor authentication. Given that formal studies show multi-factor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication,” Microsoft Vice President for Identity Security Alex Weinert said in November.
Microsoft-owned GitHub also started enforcing two-factor authentication (2FA) for all active developers in January as part of the same effort to boost MFA adoption.