Learn how MFA protects your data and identities, and prepare for upcoming MFA requirements for Azure.
Learn how multi-factor authentication (MFA) helps protect your data and identities and prepare for upcoming MFA requirements in Azure.
As cyberattacks become more frequent, sophisticated, and damaging, protecting your digital assets has never been more important. As part of Microsoft’s commitment to invest $20 billion in security over the next five years and to strengthen the security of our services by 2024, we are introducing mandatory multi-factor authentication (MFA) for all Azure sign-ins.
The need for enhanced security
One of the pillars of Microsoft’s Secure Future Initiative (SFI) is dedicated to protecting identities and confidentiality. We aim to reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and confidentiality infrastructure, user and application authentication and authorization. As part of this important priority, we are taking the following actions:
- Protect your identity infrastructure signing and platform keys through rapid, automatic rotation via hardware storage and protection (e.g., hardware security modules (HSMs) and confidential computing).
- Enforce identity standards and accelerate adoption by using standard SDKs across 100% of your applications.
- Ensure 100% of your user accounts are protected with secure, phishing-resistant multi-factor authentication.
- Ensure that all applications are secured using system administrative credentials (e.g., administrative ID and administrative certificate).
- Ensures 100% of ID tokens are protected with stateful storage and durable verification.
- Further refines the split between ID signing keys and platform keys.
- Prepare your identity and public key infrastructure (PKI) systems for the post-quantum cryptography era.
Ensuring that Azure accounts are managed securely and protected with phishing-resistant multi-factor authentication is a key step we are taking. Recent research from Microsoft shows that multi-factor authentication (MFA) is one of the most effective security measures available, blocking more than 99.2% of account compromise attacks, and today’s announcement brings us all one step closer to a more secure future.
In May 2024, Microsoft discussed automatically enforcing multi-factor authentication by default for over 1 million Microsoft Entra ID tenants within Microsoft, including tenants for development, test, demo, and production. We are expanding our best practices for enforcing MFA to customers by making it mandatory for access to Azure. This will not only reduce the risk of customer account compromise and data breaches, but also help organizations comply with multiple security standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the National Institute of Standards and Technology (NIST).
Required Azure MFA Preparation
MFA, which is required for all Azure users, will be rolled out in phases starting in February 2020.~is Halfway through calendar year 2024 to give customers time to plan their implementation:
Starting today, Microsoft will send 60 days advance notice via email and Azure Service Health Notifications to all Entra global administrators to inform them of the start date of enforcement and any required actions. Additional notifications will be sent via the Azure Portal, Entra Admin Center, and M365 Message Center.
For customers who need additional time to prepare for mandatory Azure MFA, Microsoft will review additional timeframes for customers with complex environments or technical barriers.
How to use Microsoft Entra for flexible MFA
Organizations have several ways to enable users to take advantage of MFA through Microsoft Entra.
- Microsoft Authenticator lets users use push notifications, biometrics, or one-time passcodes to authorize sign-ins on mobile apps. Augment or replace passwords with two-step verification and strengthen the security of your accounts on mobile devices.
- FIDO2 security keys allow you to log in without a username or password using an external USB, Near Field Communication (NFC), or other external security key that supports the Fast Identity Online (FIDO) standard instead of a password.
- Certificate-based authentication enforces anti-phishing MFA using Personal Identity Verification (PIV) and Common Access Card (CAC). Authenticates directly to Microsoft Entra ID using X.509 certificates on smart cards or devices for browser and application sign-in.
- Passkeys allow you to implement anti-phishing authentication using Microsoft Authenticator.
- Finally, and this is the least secure version of MFA, you can also use SMS or voice authentication as described in this article.
External multi-factor authentication solutions and federated identity providers will continue to be supported and will satisfy the MFA requirement if configured to send MFA claims.
Move forward
At Microsoft, your security is our top priority. We want to provide you with the best protection against cyber threats by enforcing MFA for Azure logins. We appreciate your cooperation and your efforts to strengthen the security of your Azure resources.
Our goal is to provide a frictionless experience for legitimate customers while ensuring that robust security measures are in place. We encourage all customers to plan for compliance as soon as possible to avoid disruption to their business.
Get started today! For additional details on implementation, affected accounts, and next steps, see this blog post on the Microsoft Tech Community.