Blog Post

Core Infrastructure and Security Blog
3 MIN READ

Microsoft will require MFA for all Azure users

Erin Chapple (BOURKE-DUNPHY)'s avatar
Erin Chapple (BOURKE-DUNPHY)
Icon for Microsoft rankMicrosoft
May 14, 2024
This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in p...
Updated May 17, 2024
Version 4.0
Announcement
Entra ID
MFA
Microsoft Entra ID
multi-factor authentication
security
najshahid's avatar
najshahid
Icon for Microsoft rankMicrosoft
May 17, 2024

Hello everyone, my name is Naj Shahid and I am a product manager in Azure leading this initiative. I am sharing some information below that should help with your questions.

 

  • Scope: All users signing into Azure portal, CLI, PowerShell, or Terraform to administer Azure resources are within the scope of this enforcement.
  • Impact on end users: Students, guest users and other end-users will only be affected if they are signing into Azure portal, CLI, PowerShell or Terraform to administer Azure resources. This enforcement policy does not extend to apps, websites or services hosted on Azure. The authentication policy for those will still be controlled by the app, website or service owners.
  • Exclusions: Service principals, managed identities, workload identities and similar token-based accounts used for automation are excluded. Microsoft is still gathering customer input for certain scenarios such as break-glass accounts and other special recovery processes.
  • MFA Methods: All supported MFA methods are available for you to use.
  • Exceptions: While there will be no opt-out, an exception process will be provided for cases where no workaround is available. Details for the exception process will be shared via official notifications.
  • Timeline: Beginning July 2024, a gradual rollout of this enforcement for portal only will commence. Once we have completed the rollout for portal, a similar gradual rollout will start for CLI, PowerShell and Terraform. We understand the impact this enforcement could have on automated scripts using user identities and thus are prioritizing enforcement for Azure portal to provide additional time to adapt if needed.  
  • Communication: Microsoft will send detailed information and timelines through official emails and notifications with advanced notice to ensure customers are well informed and prepared. The purpose of this blog post was to generate awareness about this upcoming change and help you prepare for transition to multi factor authentication.

 

As Erin mentioned in the post above, don’t wait to set up MFA. Keep users and data safe by setting up MFA with the MFA wizard for Microsoft Entra. Microsoft recommends examining which Entra IDs are used with dev ops and API access to Azure Resource Manager. As needed, learn how to replace user identities with service principals and managed identities.

 

Sincerely,
Naj Shahid

Principal Product Manager

Microsoft Azure