Mandatory Multi-Factor Authentication Rollout for Azure
In August of the previous year, Microsoft took a significant step in enhancing security for Azure public cloud users by announcing the implementation of mandatory multi-factor authentication (MFA) for sign-ins. Research conducted by Microsoft indicates that MFA can prevent over 99.2% of account compromises, making it a crucial defense mechanism against unauthorized access.
Phased Implementation Strategy
The rollout of MFA was strategically divided into two key phases. The first phase, which commenced in October 2024, mainly focused on enforcing MFA for sign-ins to management portals. This requirement now applies to all users logging into critical Azure services, such as the Azure portal, Microsoft Entra admin center, and Intune admin center.
As of March 2023, Microsoft has confirmed the successful implementation of the initial portal enforcement for Azure tenants. This progress paves the way for Phase 2, which will introduce “gradual enforcement”at the Azure Resource Manager layer. This new layer will expand MFA requirements to essential tools, including:
- Azure CLI
- Azure PowerShell
- The Azure Mobile App
- Infrastructure as Code (IaC) tools
Preparing for MFA: Guidance for Administrators
For Azure administrators, transitioning to this new requirement necessitates some preparation. Microsoft recommends configuring a Conditional Access policy to ease this process. Below are the steps to set this up:
- Log in to the Microsoft Entra admin center with Conditional Access Administrator rights.
- Navigate to Entra ID, select Conditional Access, and proceed to Policies.
- Create a new policy and assign it a descriptive name.
- Select the appropriate users or groups to include under Assignments.
- Under Target resources, identify Cloud apps and include “Microsoft Admin Portals”and “Windows Azure Service Management API”.
- In Access controls, select Grant, then Require authentication strength, and choose Multifactor authentication.
- Initially set the policy to “Report-only”mode to assess the potential impact without locking users out. Finally, select Create.
It’s important to note that applying these settings requires a Microsoft Entra ID P1 or P2 license. For optimal compatibility with these changes, Microsoft also suggests that users update their systems to at least Azure CLI version 2.76 and Azure PowerShell version 14.3.
For more information and updates regarding this transition, you can refer to the source.
Leave a Reply