Last month, Microsoft announced that it will enable MFA (Multi-factor authentication) for all Azure users. Since this is a big change, Microsoft said that the roll out will be gradual and methodical to minimize impact for customers. Recently, Microsoft provided an update regarding the MFA requirements for Azure along with guidance for customers to prepare their systems. You can read about the scope, timing and implementation details below.
Who will be impacted?
- All Azure users who sign into the Azure portal, Azure CLI, Azure PowerShell.
- Users who use IaC tools including Azure Developer CLI, Bicep, Terraform and Ansible to perform any CRUD operation.
- Workload Identities, such as managed identities and service principals, will not be impacted by this enforcement. However, if you are using user identities as a service account, it will have an impact.
Rollout schedule:
As expected, the rollout of Azure MFA requirement will be done in two phases:
- Phase 1: Starting in July 2024, enforcement for MFA at sign-in for Azure portal only will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI, Azure PowerShell and IaC tools.
- Phase 2: Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell and Infrastructure as Code (IaC) tools will gradually roll out to all tenants.
Microsoft will also offer grace period for customers with use cases where no easy workarounds are available and who need more time to adapt to the changes.
Supported Azure MFA Methods:
All existing MFA methods supported in Azure are available. Microsoft also mentioned that external MFA solutions is in public preview with external authentication methods. Active Directory Federation Services or other Federated identity providers must send an MFA claim after the MFA requirement is enforced by Microsoft.
What should IT admins do?
IT Admins can use the following to find which users are signing into Azure with and without MFA:
- Use this PowerShell command to export a list of users and their auth methods: https://aka.ms/AzMFA
- Use this Multifactor Authentication Gaps workbook: Multifactor Authentication Gaps workbook - Microsoft Entra ID | Microsoft Learn
- Use these App IDs in your queries:
- Azure portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
- Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
- Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2
Source: Microsoft