Microsoft is tightening security for its cloud customers by making multi-factor authentication mandatory for anyone accessing the Microsoft 365 admin center, effectively ending password-only logins for high-privilege admin portals.
The enforcement will fully kick in on February 9, 2026, following a phased rollout that began in early 2025.
Deadline and enforcement scope
Under the new policy, admin users who do not have MFA enabled will be blocked from signing into the Microsoft 365 admin center after the deadline, forcing organizations to configure strong authentication or risk operational disruption.
Enforcement covers three core admin endpoints: portal.office.com/adminportal/home, admin.cloud.microsoft, and admin.microsoft.com, which are used to manage tenants, users, security, and compliance settings.
Because these portals grant broad control over Microsoft 365 environments, a single compromised password without MFA can give attackers “god-like” access to emails, files, identity settings, and audit logs.
Microsoft notes that legacy tenants that have never enabled MFA at the organization level could see global admins locked out if they fail to prepare.
Microsoft continues to see credential attacks as one of the biggest threats to its cloud ecosystem, reporting hundreds of millions of credential-stuffing attempts per day in recent defense reports.
By mandating MFA for admin access, the company aims to blunt common attack techniques such as phishing, password reuse, brute force, and automated login stuffing.
Security practitioners have long treated MFA as a baseline control for zero-trust architectures, particularly for privileged accounts that ransomware operators and nation-state actors routinely target.
High-privilege admin identities in Entra ID (formerly Azure AD) are often the first objective in campaigns to deploy ransomware or exfiltrate large volumes of data.
Microsoft is urging global admins to turn on MFA across their organizations using the built-in setup wizard or step-by-step guidance in its documentation, which supports methods like the Microsoft Authenticator app, SMS codes, and hardware tokens.
Individual users who need access to the admin center are advised to review and, if necessary, add MFA methods via the standard setup portal before enforcement begins.
Admins should audit all privileged accounts especially in hybrid environments that combine on-premises Active Directory with Entra ID to ensure no break-glass or legacy accounts are left without MFA.
The company says compliant users will see no downtime, but those who delay may face lockouts during critical work, such as incident response or patch management.
Mandating MFA for admin access aligns Microsoft’s cloud posture with requirements in frameworks like SOC 2, HIPAA, and NIST, which increasingly expect strong authentication for privileged roles, reported by Cybersecuritynews .
The change also complements Conditional Access and Privileged Identity Management features, giving organizations a more robust defense stack for high-value identities.
Analysts expect similar enforcement to extend to other sensitive administrative surfaces such as Power Platform and other workload-specific admin portals as password-only access becomes unacceptable in the face of AI-enhanced phishing and rapidly evolving identity threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.