Starting in July 2024, Microsoft is going to make multi-factor authentication (MFA) mandatory for users logging into the Azure portal. This will add an important, additional layer of security at the tenant level and significantly improve the protection of your organization's Azure environment. In this article, we explain what's changing.

Mandatory MFA for Azure users to be rolled out in phases

• Phase 1 (as of July 2024): MFA required for login to Azure portal.
• Phase 2 (early 2025): MFA mandatory for Azure CLI, Azure PowerShell and Infrastructure as Code (IaC) tools.

MFA for Azure users: an overview and timeline

Key points of interest

This impacts all users of Azure. The main areas of concern are:

• User accounts: All users logging into the Azure portal, CLI, PowerShell and IaC tools must start using MFA. End users who only use apps, websites or services on Azure are not subject to this requirement.
• Automation Accounts: Workload Identities are not affected. However, user identities used for automation must apply MFA
• Implementation: The MFA requirement is implemented on top of existing access policies. Users with pre-existing MFA policies will not notice any change.
• Available MFA methods: All supported MFA methods are available. External MFA solutions can also be used.
• Special scenarios: For "break glass" accounts, FIDO2 or certificate-based authentication is recommended. Guidelines are still being developed for specific scenarios such as shared accounts and short-term user identities.

Preparation

• Start setting up MFA as soon as possible. MFA, beyond Microsoft's forced rollout, is an important, additional layer of security anyway that, if available, you should always use. Even if hackers manage to figure out your password, they won't have direct access to your account without the second authentication factor.
• Migrate automation processes from user identities to managed identities or service principals.

Questions or more information?

Microsoft provides ongoing updates and guidance to help organizations prepare for this new requirement. Have questions or need more information? If so, visit aka.ms/AzMfaRollout or contact us.