Microsoft has announced a significant security enhancement for its Azure platform: starting in 2024, all Azure sign-in attempts will require multifactor authentication (MFA). This move underscores Microsoft’s commitment to providing its customers the highest level of security.
The MFA requirement will apply to several key applications, including the Azure Portal, Microsoft Entra Admin Center, and Microsoft Intune Admin Center, and enforcement will begin in the second half of 2024.
Additionally, Azure CLI, Azure PowerShell, Azure Mobile App, and Infrastructure as Code (IaC) tools will see enforcement starting in early 2025.
The requirement will affect all users performing Create, Read, Update, or Delete (CRUD) operations on these applications.
However, end users accessing applications, websites, or services hosted on Azure without signing into the listed applications will not be required to use MFA. Workload identities, such as managed identities and service principals, are exempt from this enforcement. Microsoft says.
Emergency access accounts, however, must comply with MFA, and Microsoft recommends using passkey (FIDO2) or certificate-based authentication for these accounts.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Scope of Enforcement
The MFA requirement will apply to several key applications and accounts:
- Azure Portal: Enforcement begins in the second half of 2024.
- Microsoft Entra Admin Center: Enforcement begins in the second half of 2024.
- Microsoft Intune Admin Center: Enforcement begins in the second half of 2024.
- Azure CLI, Azure PowerShell, Azure Mobile App, and IaC Tools: Enforcement starts in early 2025.
Enforcement Phases
According to the Microsoft report, The rollout of MFA enforcement will occur in two phases:
- Phase 1 (Second Half of 2024): MFA will be enforced for the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center.
- Phase 2 (Early 2025): MFA will be enforced for Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools.
To ensure a smooth transition, Microsoft will notify Global Administrators through various channels, including email, service health notifications, portal notifications, and the Microsoft 365 message center.
Prepare for Multifactor Authentication:
Administrators are encouraged to prepare by setting up MFA for all users accessing admin portals and Azure clients. This includes learning about Microsoft Entra MFA and available authentication methods, enabling users for one or more MFA methods, and utilizing Conditional Access policies and security defaults.
| Preparation for Multifactor Authentication (MFA) | Details |
|---|---|
| Requirement | All users accessing admin portals and Azure clients must be set up to use MFA. |
| Resources for Setup | – Learn about Microsoft Entra MFA and available authentication methods. – Enable users for one or more MFA methods. – Prefer more secure phishing-resistant MFA methods. |
| Options for Setting Up MFA | – Use Conditional Access policies (start in report-only mode) targeting all users and Microsoft administration portals. – Require multifactor authentication or use authentication strengths for granular control. – Enable Security defaults. |
| Configuration and Deployment | – Secure sign-in events with Microsoft Entra MFA. – Plan a Microsoft Entra MFA deployment. – Learn about phishing-resistant MFA methods. – Use the MFA wizard for Microsoft Entra ID. |
| Identifying Users’ MFA Status | – Use PowerShell to export a list of users and their authentication methods. – Use the Multifactor Authentication Gaps workbook. |
| Application IDs for Queries | – Azure portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c– Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46– Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2– Azure mobile app: 0c1307d4-29d6-4389-a11c-5cbe7f65d7fa |
Furthermore, support for external MFA solutions is currently in preview, allowing integration with federated Identity Providers like Active Directory Federation Services.
Recognizing that some customers may need additional time to prepare, Microsoft offers a grace period. Between August 15, 2024, and October 15, 2024, Global Administrators can postpone the enforcement start date to March 15, 2025, by adjusting settings in the Azure portal.
Despite this flexibility, Microsoft emphasizes the importance of implementing MFA promptly to safeguard valuable cloud resources from potential threats.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access