Microsoft Will Require MFA for Azure Services

Starting in October, all Microsoft Azure customers will be required to have multifactor authentication (MFA) enabled on their accounts, Microsoft said.

From Microsoft's perspective, requiring MFA across its entire customer base will help reduce the risk of account compromise and data breaches. MFA can block more than 99.2% of account compromise attacks, according to the company.

Mandatory MFA will be turned on for Azure portal, Microsoft Entrata admin center, and Intune admin center, wrote Azure Computer principal product managers Naj Shahid and Bill DeForeest in a blog post. Notifications will start going out to customers via email and Azure Service Health Notifications to give them time to prepare. Customers will receive the date enforcement will begin as well as actions that need to be taken before that date.

Mandating MFA for Azure is part of Microsoft's Secure Future Initiative announced last year to integrate key security features into its products and services. Recent data breaches, such as the attacks against Snowflake customers, succeeded because the compromised systems did not have MFA enabled.

Organizations can choose from an array of MFA options, including Microsoft Authenticator, FIDO2 security keys, certificate-based authentication, and passkeys. While less secure, SMS or voice forms of MFA will also be acceptable, Microsoft said.

Organizations with complex environments or facing technical barriers to adopting MFA can request additional time. Mandatory MFA will not be required for Azure Command Line Interface, Azure PowerShell, Azure mobile app, and infrastructure-as-code tools until early 2025.