In a significant security move, Microsoft announced on August 26, 2025, that it will require mandatory multifactor authentication (MFA) for all accounts signing in to the Azure portal and related administrative centers.
The policy, first introduced in 2024, aims to dramatically reduce account compromise by enforcing an additional layer of identity verification across Azure and Microsoft 365 admin portals.
Starting October 2024, Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center sign-ins will require MFA for any create, read, update, or delete operation.
Full enforcement across CLI, PowerShell, mobile, and IaC tools follows on October 1, 2025, significantly strengthening administrative security.
Microsoft research shows that enabling MFA blocks over 99.2 percent of account compromise attacks, making it one of the most effective defenses against unauthorized access.
Having offered optional MFA for years, Microsoft will now enforce it by default for critical administrative access points. The announcement underscores the company’s commitment to safeguarding cloud resources for its customers.
Scope of Enforcement
Enforcement is rolling out in two phases:
Phase 1 (October 2024 – February 2025)
- Azure portal sign-in for all CRUD operations.
- Microsoft Entra admin center sign-in for all CRUD operations.
- Microsoft Intune admin center sign-in for all CRUD operations.
- Microsoft 365 admin center sign-in requirements begin in February 2025.
Phase 1 does not yet cover Azure CLI, Azure PowerShell, Azure mobile app, Infrastructure as Code (IaC) tools, or REST API endpoints.
Phase 2 (October 1, 2025)
- Azure CLI and Azure PowerShell for create, update, and delete operations.
- Azure mobile app for create, update, and delete operations.
- IaC tools and REST API endpoints for create, update, and delete operations.
- Read-only operations remain exempt.
Administrators relying on user accounts for scripted automation should transition to workload identities—such as managed identities or service principals—to avoid disruption when Phase 2 enforcement begins.
Affected Applications and Timelines
| Application Name | Enforcement Start |
|---|---|
| Azure portal | Second half of 2024 |
| Microsoft Entra admin center | Second half of 2024 |
| Microsoft Intune admin center | Second half of 2024 |
| Microsoft 365 admin center | February 2025 |
| Azure CLI & PowerShell | October 1, 2025 |
| Azure mobile app | October 1, 2025 |
| IaC tools & REST API | October 1, 2025 |
All user accounts accessing the applications listed above must complete MFA upon enforcement.
Break-glass and emergency-access accounts also require MFA; organizations are encouraged to configure passkeys (FIDO2) or certificate-based authentication for these critical accounts. Workload identities remain unaffected but any user-based service accounts must comply.
The OAuth 2.0 Resource Owner Password Credentials (ROPC) flow is incompatible with MFA. Applications using MSAL’s ROPC APIs must migrate to interactive or certificate-based flows.
Developers should update any code that relies on AcquireTokenByUsernamePassword or UsernamePasswordCredential in Azure Identity, following Microsoft’s migration guides for .NET, Go, Java, Node.js, and Python.
Microsoft strongly recommends immediate MFA adoption to secure high-value administrative accounts and mitigate the growing threat of credential-based attacks.
Organizations can prepare by:
- Verifying MFA configuration via the Microsoft Entra ID portal.
- Applying or updating Conditional Access policies (requires Entra ID P1/P2).
- Enabling security defaults if Conditional Access is unavailable.
- Migrating user-based service accounts to workload identities.
After enforcement, Azure portal banners will notify administrators of required MFA, and sign-in logs will identify MFA challenges.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
