In a decisive move to bolster security, Microsoft announced on August 26, 2025, that it will implement mandatory multifactor authentication (MFA) for all accounts accessing the Azure portal and associated administrative centers. This policy, initially introduced in 2024, aims to significantly reduce account compromises by adding an extra layer of identity verification across Azure and Microsoft 365 administrative portals.
Phased Implementation Timeline
The enforcement of this policy will occur in two distinct phases:
Phase 1: October 2024 – February 2025
– Azure Portal: MFA will be required for all create, read, update, or delete (CRUD) operations.
– Microsoft Entra Admin Center: Similar MFA requirements will be enforced for all CRUD operations.
– Microsoft Intune Admin Center: MFA enforcement for CRUD operations will commence.
– Microsoft 365 Admin Center: MFA requirements will begin in February 2025.
During this phase, tools such as Azure CLI, Azure PowerShell, Azure mobile app, Infrastructure as Code (IaC) tools, and REST API endpoints are not yet included in the MFA enforcement.
Phase 2: Commencing October 1, 2025
– Azure CLI and Azure PowerShell: MFA will be mandated for create, update, and delete operations.
– Azure Mobile App: Similar MFA requirements will apply to create, update, and delete operations.
– IaC Tools and REST API Endpoints: MFA enforcement will extend to these tools for create, update, and delete operations.
It’s important to note that read-only operations will remain exempt from MFA requirements during both phases.
Rationale Behind MFA Enforcement
Microsoft’s research indicates that enabling MFA can block over 99.2% of account compromise attacks, making it one of the most effective defenses against unauthorized access. By transitioning from optional to mandatory MFA for critical administrative access points, Microsoft underscores its commitment to safeguarding cloud resources for its customers.
Scope of Enforcement
The MFA enforcement will affect various applications and tools, with specific timelines:
– Azure Portal: Enforcement begins in the second half of 2024.
– Microsoft Entra Admin Center: Enforcement starts in the second half of 2024.
– Microsoft Intune Admin Center: MFA requirements commence in the second half of 2024.
– Microsoft 365 Admin Center: Enforcement begins in February 2025.
– Azure CLI & PowerShell: MFA enforcement starts on October 1, 2025.
– Azure Mobile App: MFA requirements begin on October 1, 2025.
– IaC Tools & REST API: Enforcement starts on October 1, 2025.
All user accounts accessing these applications must complete MFA upon enforcement. Emergency-access accounts, often referred to as break-glass accounts, are also required to comply with MFA. Organizations are encouraged to configure passkeys (FIDO2) or certificate-based authentication for these critical accounts. Workload identities remain unaffected; however, any user-based service accounts must adhere to the new MFA requirements.
Technical Considerations and Preparations
Administrators who rely on user accounts for scripted automation should transition to workload identities, such as managed identities or service principals, to avoid disruptions when Phase 2 enforcement begins. The OAuth 2.0 Resource Owner Password Credentials (ROPC) flow is incompatible with MFA. Therefore, applications using MSAL’s ROPC APIs must migrate to interactive or certificate-based flows.
Developers should update any code that relies on `AcquireTokenByUsernamePassword` or `UsernamePasswordCredential` in Azure Identity, following Microsoft’s migration guides for .NET, Go, Java, Node.js, and Python.
Recommended Actions for Organizations
To prepare for the upcoming MFA enforcement, organizations should:
– Verify MFA Configuration: Utilize the Microsoft Entra ID portal to ensure MFA settings are correctly configured.
– Apply or Update Conditional Access Policies: This requires Entra ID P1/P2 licenses and helps in managing access controls effectively.
– Enable Security Defaults: If Conditional Access is unavailable, enabling security defaults can provide baseline security measures.
– Migrate User-Based Service Accounts: Transition these accounts to workload identities to comply with the new MFA requirements.
Grace Period and Postponement Options
Recognizing that some organizations may need additional time to prepare, Microsoft offers a grace period:
– Phase 1 Enforcement: Organizations can postpone until September 30, 2025, by having a Global Administrator select a new start date at [https://aka.ms/managemfaforazure](https://aka.ms/managemfaforazure).
– Phase 2 Enforcement: Postponement is available until July 1, 2026, via [https://aka.ms/postponePhase2MFA](https://aka.ms/postponePhase2MFA).
After enforcement, Azure portal banners will notify administrators of the required MFA, and sign-in logs will identify MFA challenges. Microsoft strongly recommends immediate MFA adoption to secure high-value administrative accounts and mitigate the growing threat of credential-based attacks.
Conclusion
Microsoft’s decision to mandate MFA for Azure portal access represents a significant advancement in cloud security. By enforcing this additional layer of authentication, Microsoft aims to protect its users from unauthorized access and potential security breaches. Organizations are encouraged to proactively implement MFA to enhance their security posture and comply with industry standards.
