Multi-Factor Authentication for Azure Sphere

Update 3: As of January 7th 2025, MFA has been enabled for Azure Sphere (Legacy) accounts.

Update 2: Due to an update in Azure release policy over the holiday season, MFA enablement has been postponed to January 2025. This blog post will be updated with a specific date in due course.

Update 1: The originally advertised activation date has been revised from November 13th to December 5th.

Multi-Factor Authentication (MFA) will soon become mandatory for Azure Sphere, delivering upon Azure Sphere’s promise of providing continuous security throughout the lifetime of the product, to meet the evolving needs of industry. This effort is part of Microsoft’s Secure Future Initiative, which, over the coming months, will see all of Azure make Multi-Factor Authentication (MFA) mandatory.

This change will impact both Azure Sphere (Integrated) and Azure Sphere (Legacy) service interfaces, but on different dates. As a reminder, Azure Sphere (Legacy) is retiring in 2027, and before then customers must migrate to Azure Sphere (Integrated). Migration has significant benefits including enhanced security and monitoring features, such as role-based access control, through Azure RBAC, and fleet health monitoring, through Azure Monitor. You can read about the various benefits of Azure Sphere (Integrated) here.

For customers already using Azure Sphere (Integrated), the rollout will be aligned with MFA rollout for the rest of Azure. You can read more about this and the steps you must take here.

For Azure Sphere (Legacy) customers, MFA will be made mandatory on January 7 2025. This change means that logging into the ‘azsphere’ CLI and accessing the Public API (PAPI), via Entra API sign-in, will now require that users enable MFA for their Azure Sphere (Legacy) accounts, resulting in an additional authentication step. Please note that performing MFA for logging into Azure Sphere (Legacy) is in addition to any other MFA requirements set on user accounts outside of Azure Sphere, so you may see multiple MFA steps.

In all instances, you will need to ensure:

• That users have access to a compatible authenticator app (such as Microsoft Authenticator) or a mobile phone for text-based authentication, so that they can set up MFA when prompted at their next login, once MFA has been made mandatory.
• That any impacted procedures or tools are identified and updated accordingly, to cater for the additional step in the authentication.

Regardless of whether you use Azure Sphere (Integrated) or Azure Sphere (Legacy), Service Principals are designed for automation and do not require MFA. We recommend service principals for any automated workflow. You can read more about service principals for Azure Sphere (Integrated) here and for Azure Sphere (Legacy) here.

Should you experience any unexpected behaviors or impact following the mandatory enablement of MFA and require assistance, please reach out to the Azure Sphere product team at: AZSPPGSUP@microsoft.com.