Blog Post

Microsoft 365 Blog
7 MIN READ

Announcing mandatory multifactor authentication for the Microsoft 365 admin center

Samer_Baroudi's avatar
Samer_Baroudi
Icon for Microsoft rankMicrosoft
Nov 11, 2024

Learn how multifactor authentication (MFA) can protect your organization and how to prepare for the upcoming Microsoft 365 admin center MFA requirement 

 

Microsoft is committed to continuously enhancing security for all our users and customer organizations. One of the pillars of the Microsoft Secure Future Initiative is to protect identities and secrets, and multifactor authentication (MFA) is a proven approach to substantially reduce the risk of unauthorized access to user accounts. Starting February 3rd, 2025, Microsoft will begin requiring MFA for all user accounts accessing the Microsoft 365 admin center.  This requirement will be rolled out in phases at the tenant level. You will receive a message through the Microsoft 365 admin center Message center approximately 30 days before your tenant is eligible for enforcement. 

Recommended actions 

Global admins: To set up MFA in your organization now, visit the MFA setup guide at aka.ms/MFAWizard or refer to Set up multifactor authentication for Microsoft 365 

Users accessing the Microsoft 365 admin center: Check your verification methods and add one if needed by going to aka.ms/mfasetup. 

What is multifactor authentication and why is it important? 

Multi-factor authentication (MFA) is a security feature that requires you to provide two or more pieces of evidence to prove your identity when you sign in to an online service. These pieces of evidence can be something you know (such as a password or a PIN), something you have (such as a phone or a security key), or something you are (such as a fingerprint or a face scan). MFA adds an extra layer of protection to your account and your data, reducing the risk of unauthorized access even if your password is compromised. MFA is especially important for the Microsoft 365 admin center, where you can manage your organization's settings, users, licenses, subscriptions and more. Research by Microsoft shows that MFA leads to a 99.22% reduction in risk of account compromise. 

MFA will help you:  

  • Prevent unauthorized access to your Microsoft 365 admin accounts and the sensitive accounts, data, and resources that you manage 
  • Enhance your reputation and trust among your customers, partners, and stakeholders, who expect you to safeguard their data and privacy 
  • Help you reduce the risk of data breaches, identity theft, phishing, ransomware, and other cyberattacks that can compromise your business and your data 

Thank you for your cooperation and commitment to creating a more secure future 

We appreciate your understanding and your support as we implement this important security measure. We know that using MFA may require some adjustments, and we believe that the benefits greatly outweigh the efforts. We are confident that MFA will help you enhance your data security and your peace of mind, and we are here to help you with any issues or feedback that you may have along the way. 

FAQ - Microsoft 365 admin center - Mandatory MFA 

MFA Readiness and Verification 

What if I need more time to prepare for this requirement? 

We understand that some customers may need additional time to prepare for this MFA requirement. Therefore, Microsoft will allow extensions for customers with complex environments or technical barriers. Global Administrators can go to the Azure portal to postpone the start date of enforcement. 

A few important notes on requesting postponement: 

  • Global Administrators must have elevated access before postponing the start date of MFA enforcement on this page.  
  • For multi-tenant organizations, Global Administrators must perform this action for every tenant for which they would like to postpone the start date of enforcement.  
  • Extension requests will extend the enforcement for the Microsoft 365 admin center as well as the Azure portal, Microsoft Entra admin center, and the Microsoft Intune admin center. If you have already submitted a request for an extension in the Azure portal, the extension will apply to the Microsoft 365 admin center.  

If you need assistance with postponing your MFA enforcement date, contact support. 

 

How do I know if I am ready for MFA as an admin user accessing the Microsoft 365 admin center? 

If you have enrolled in MFA and have added a verification method, you will be able to satisfy the requirement. Go to aka.ms/mfasetup, review your verification methods and add one if needed. 

 

How do I know if this requirement impacts my organization? 

Microsoft will be rolling out this requirement to all users accessing the Microsoft 365 admin center. You will receive a message center post approximately 30 days before your tenant is eligible for enforcement. If your organization has already set up a qualifying MFA policy for your admin users or for all users in your organization, and users accessing the Microsoft 365 admin center have registered for MFA and added a verification method, then no further action is required at this time. 

 

As a Microsoft 365 administrator, how do I know if my organization has an MFA policy applied to Microsoft 365 admin center sign-in? 

If your Microsoft 365 tenant was created on or after October 22, 2019, Security defaults may already be enabled in your organization. To check if security defaults are enabled, sign in to the Microsoft Entra admin center as at least a Security Administrator. Navigate to Identity > Overview > Properties and view Security defaults. If security defaults are enabled, you will see "Your organization is currently using security defaults." next to a green check mark, and you are already meeting the requirement. 

 

If your organization is using Conditional Access policies in Microsoft Entra and you already have a conditional access policy through which users sign in to the Microsoft 365 admin center with MFA, then you are already meeting the requirement. 

 

While Security defaults and Conditional Access are recommended approaches for setting up your MFA policies, some organizations set MFA policies on a per-user basis. You can also check per-user MFA settings to review and enable each user account with MFA. 

 

What if I don't add an MFA verification method before this mandatory MFA requirement is applied for my tenant? Will I be locked out of my account? Will I still be able to access the Microsoft 365 admin center? 

No, you will not be locked out of your account. Yes, you will still be able to access the Microsoft 365 admin center. If you have not added an MFA verification method by the time the MFA requirement was enforced for your tenant, you will be prompted to register MFA for your account and add a verification method when you attempt to access the Microsoft 365 admin center. If a user is locked out, there may be another reason. Follow the guidance on Account has been locked - Microsoft Support. For further assistance with account lock-out, contact support. 

MFA Policies and Requirements 

Can I opt out of this requirement? 

No. This security measure is important to the safety and security of Microsoft 365 customer organizations and users. Increasingly, MFA is an industry standard baseline security requirement. 

 

Does this requirement impact all Microsoft 365 users? 

No. The mandatory MFA requirement for the Microsoft 365 admin center only impacts users accessing the Microsoft 365 admin center at this time. While MFA is not currently required for general Microsoft 365 services, Microsoft recommends that all Microsoft 365 users use MFA to safeguard user accounts and your organization. 

 

Does this requirement impact Microsoft Graph PowerShell or API? 

No. This requirement does not impact the use of Microsoft Graph PowerShell or API at this time. 

 

Does this requirement apply to emergency access accounts? 

Emergency access accounts (also known as break glass accounts) are privileged accounts not assigned to a specific user and intended to mitigate the risk of accidental account lockout. If your organization has set up emergency access accounts, note that these accounts are also required to sign in with MFA once enforcement begins. We recommend updating emergency access accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA.  Both of these methods satisfy the MFA requirement. 

Third-party Identity Providers 

Our organization uses a third-party identity provider (IdP) for MFA. Will this satisfy the requirement? 

Yes. Use of external MFA solutions will meet the requirement through external authentication methods in Microsoft Entra ID. If your MFA provider is integrated directly with this federated IdP, the federated IdP must be configured to send an MFA claim. 

 

Will third-party IdPs through the legacy Conditional Access custom controls preview satisfy the requirement? 

No. As you may know, in 2020, Microsoft provided a preview of Conditional Access custom controls to enable the use of third-party MFA providers with Azure Active Directory. This approach to third-party MFA was found to be too limited and has been replaced by external authentication methods in Microsoft Entra ID. 

Implementation and Support 

I'm part of a small organization with only a few admin users that need to access the Microsoft 365 admin center. What's the easiest way for me to satisfy this requirement with minimal disruption to our users? 

Admin users should simply go to aka.ms/mfasetup and add a verification method such as Microsoft Authenticator. Once the Microsoft 365 admin center MFA requirement is rolled out to your tenant, admin users will be prompted to sign in with MFA using the method your admins have added. 

  

How do I turn on security defaults? 

You may use the steps outlined in the documentation to turn on security defaults here: Security defaults in Microsoft Entra ID - Microsoft Entra | Microsoft Learn 

  

How do I require MFA through Conditional Access in Microsoft Entra? 

You may use the steps outlined in the documentation to create a Conditional Access policy which requires MFA here: Require MFA for all users with Conditional Access - Microsoft Entra ID | Microsoft Learn. 

 

I am part of an organization with multiple Microsoft 365 tenants. Will Microsoft 365 admin center MFA enforcement roll out to all our tenants at the same time? 

Not necessarily. The MFA requirement will roll out in phases at the tenant level starting February 3rd, 2025. For organizations with multiple Microsoft 365 tenants, MFA for Microsoft 365 admin center sign-in may be enforced for your tenants at different times. We recommend you apply MFA across all your Microsoft 365 tenants as soon as possible. 

  

I need help. Who can I contact? 

We are committed to helping you through this important security measure now and into the future. If you need assistance, contact support. 

 

Updated Nov 08, 2024
Version 1.0
  • Thank you Samer and team, the post is very thorough. The only thing I'd like to clarify is whether the only impacted resource is "Microsoft Office 365 Portal" (appID of 00000006-0000-0ff1-ce00-000000000000), or are there any other? Well, and related to this, when can we expect similar enforcement for the other admin centers (Exchange, SPO, Teams, etc)?

    • Ram10589's avatar
      Ram10589
      Copper Contributor

      We already have conditional access policy implemented to enforce MFA in our tenant. But some technical mailboxes are excluded from MFA due to some reasons. 

      Will these MFA excluded mailboxes be able to manage own quarantined mails in security portal(https://security.microsoft.com/) as a user? 

  • GeogAlthaus's avatar
    GeogAlthaus
    Copper Contributor

    Hi Samer_Baroudi 

    You didn't really answer the question from VasilMichev
    In the link you provided there is the ID 00000006-0000-0ff1-ce00-000000000000 mentioned. But is this the right one? There seems to be one for the new admin portal URL admin.cloud.microsoft (618dd325-23f6-4b6f-8380-4df78026e39b). And there are some user services which use the ID 00000006-0000-0ff1-ce00-000000000000 like https://portal.office.com/account/.

    Can you please clarify this? Thanks Georg

  • Unearth's avatar
    Unearth
    Brass Contributor

    Hi Samer, do you know if there will be a similar powershell module created to report on all logins that access this app and dont have MFA enforced today, like was created for the MFA for Azure  enforcement? https://azuread.github.io/MSIdentityTools/commands/Export-MsIdAzureMfaReport/

    Or even better have the existing module updated so that it checks against logins for the Azure/Entra/Intune and now M365 portal apps? Thanks

  • josea's avatar
    josea
    Copper Contributor

    How about the AD sync accounts, which is not directly accessing the M365 admin center and sync make changes on M365 admin portal.

    Is this sync need to enforce MFA, which will cause issues..?