Microsoft has announced that it will begin the first phase of its mandatory multi-factor authentication (MFA) push this October to help reduce the likelihood of account compromise attacks. Microsoft said that MFA can block more than 99.2% of these account compromise attacks, so the measure is mandatory.
Phase 1 of the rollout begins in October, MFA will be needed to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. If you aren"t asked right away, don"t worry, it"s going to be a gradual rollout. Microsoft notes that it won"t affect other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.
Phase 2 will be initiated early next year, and this will make MFA mandatory for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.
To ensure that organizations are ready, Microsoft will be sending a 60-day advance notice to Entra global admins by email and through Azure Service Health Notifications to let them know what they need to do. Microsoft said it is willing to extend the timeframe for organizations with complex environments or technical barriers.
Microsoft will support external multi-factor authentication solutions but will also let users choose the following options:
- Microsoft Authenticator allows users to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes. Augment or replace passwords with two-step verification and boost the security of your accounts from your mobile device.
- FIDO2 security keys provide access by signing in without a username or password using an external USB, near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards in place of a password.
- Certificate-based authentication enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC). Authenticate using X.509 certificates on smart cards or devices directly against Microsoft Entra ID for browser and application sign-in.
- Passkeys allow for phishing-resistant authentication using Microsoft Authenticator.
- Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval as described in this documentation.
Microsoft said that affected customers should begin planning for compliance as soon as possible so that their business operations are not disrupted. It reminded customers that by introducing this change, they will be better protected against cyber threats. In related news, Microsoft has moved to boost security for personal users of Outlook.