Mandatory Multi-Factor Authentication in Microsoft Entra, Azure, and Intune
Cyber-attacks are becoming more common and even more damaging, making it more crucial than ever that you protect your organization’s data. Yet, while it is important that you take steps to secure your data, the software you use could also put your organization at risk if it does not employ robust security measures. As the provider of one of the most widely used suites of business software, Microsoft understands that they have a responsibility to protect their customers’ data. For this reason, they have pledged to invest $20 billion in security over the next 5 years.
As part of its effort to enhance security across its platforms, Microsoft will start enforcing multifactor authentication (MFA) when signing into Azure, Entra, and other admin portals, with a phased rollout starting in October 2024. Microsoft’s Multifactor Authentication Mandate In August 2024, Microsoft announced that they would be enforcing mandatory multifactor authentication for sign-in to Azure as well as other admin portals including Microsoft Entra and Intune. This move is part of Microsoft’s Secure Future Initiative, which is dedicated to protecting identities and secrets to reduce the risk of unauthorized access to sensitive data. Implementing mandatory multifactor authentication is an essential part of this plan, as research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available. By enforcing the use of multifactor authentication, Microsoft is significantly reducing the risk that their customers’ accounts will be compromised.
When Will This Mandate Be Enforced?
Mandatory MFA enforcement is set to be a major undertaking that could impact as many as a million Microsoft users. Because this is such a large undertaking, MFA enforcement will occur in two phases, with the first phase taking place in October 2024. Starting in late October, MFA will be required to sign in to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. This phase will not impact other Azure clients such as Azure Command Line Interface (CLI), Azure PowerShell, Azure mobile app, or Infrastructure as Code (IaC) tools.
Phase two of the MFA mandate will then take place in early 2025, and will see MFA enforcement gradually extend to Azure CLI, Azure PowerShell, Aure mobile app, and IaC tools. The goal of this roll-out is to secure Create, Read, Update, or Delete (CRUD) operations across these platforms; however, workload identities such as managed identities and service identities will not be affected.
Scope of Enforcement and Impact
Microsoft’s mandatory MFA enforcement affects all users who sign in to management tools like Azure portal, Entra Admin Center, or PowerShell, including administrators, break-glass emergency access accounts, and accounts that are used as service accounts to run automated tasks or scripts. Considering administrative user accounts should already be protected by MFA, the day-to-day operations of these accounts are unlikely to be affected much by this mandate. This change will have the biggest effect on break-glass accounts and service accounts, which could lead to potential complications if you do not take the right precautions.
Impact on Emergency Access Accounts
One of the biggest complications organizations will face is that break glass or emergency access accounts will be required to sign in with MFA once enforcement begins. The problem is that these accounts traditionally have not had an MFA as it is not clear who should have authentication access or what would happen if a device was lost, failed, or stolen. Instead, these accounts typically used a highly complex password, with two trusted users each storing half of the password.
Your best option for adding multifactor authentication to these accounts would be to enroll them with a FIDO 2 security key, which authenticates and verifies identity using a physical key, usually in the form of a USB.
Impact on Service Accounts
Service accounts are often used for automated processes and background tasks. Unfortunately, the required MFA could halt these processes, as providing these service accounts with an automated way to handle MFA is not straightforward. To mitigate these challenges, Microsoft recommends that customers currently using user accounts as service accounts begin the process of discovery and migration to workload identities such as service principals and managed identities.
MFA Options
While you may already be familiar with multifactor authentication, as many organizations already use this added layer of security to protect their networks, you may still find yourself wondering what MFA options will be available when logging into Microsoft Azure when the mandate becomes effective.
Fortunately, Microsoft provides multiple ways for organizations to implement MFA, including using:
-
Microsoft Authenticator
-
FIDO 2 Security Keys
-
Certificate-Based Authentication
-
Passkey
While Microsoft also provides text message or voice approval as a form of MFA, they do not recommend it, and they suggest it only be used as a last resort, as this is the least secure form of multifactor authentication.
Tips to Prepare for The Multifactor Authentication Mandate
With Microsoft having officially set a deadline by which all users of Azure, Entra, and other admin portals must implement multifactor authentication, your organization should start taking steps now to comply with this mandate. To get you started, read through these tips to help you prepare for the MFA mandate.
- Set Up Microsoft Entra MFA: The first step that you should take is to set up MFA for your admin portals. Fortunately, Microsoft provides a tutorial for how to set up multifactor authentication with Microsoft Entra.
- Educate Your Users: Next, it is essential that you update your staff on Microsoft’s MFA mandate and provide them with training on how to set up and use MFA. Unless your organization already requires MFA, your staff may not know how to use it, as most people don’t use MFA for their personal accounts. User education will be essential in ensuring that your team is prepared for the mandate.
- Transition Service Accounts: Your next step should be to identify which service accounts will be affected by the MFA requirement, and, where feasible, replace these service accounts with workload identities so you don’t encounter any MFA issues. You will need to test your automated processes and adjust configurations as needed to ensure seamless operations moving forward.
- Identify Gaps in MFA Usage: Once you have an MFA policy in place, you will want to ensure that your staff is adhering to your new policy. Fortunately, you can identify user sign-ins that aren’t protected by MFA using Microsoft’s Multifactor Authentication Gaps Workbook. This will help you ensure that your staff is using MFA before the deadline arrives.
- Stay Informed: Microsoft will be implementing its mandatory multifactor authentication roll-out in phases over the next few months, and it is likely that they will make changes to the policy during this time. This makes it essential that you keep an eye out for notifications and emails from Microsoft about MFA enforcement that may provide information about changes to the policy or timeline, or that could provide additional guidance to help ensure a smooth transition.
- Work With a Managed Service Provider: If you are overwhelmed by Microsoft’s looming MFA deadline and you are unsure where to start your preparations, you may want to consider working with an experienced managed service provider (MSP). These experienced IT professionals can help prepare your staff and ensure that your team is ready for this transition.
What If I Use an External MFA?
If your organization already uses multifactor authentication, you may have implemented an external MFA solution. If this is the case, the good news is that you may not have to change anything as support for external MFA solutions is currently in preview and can be used to meet Microsoft’s MFA requirement. However, if you’re using a federated Identity Provider (IdP) such as Active Directory Federation Services, and your MFA provider is integrated with this federated IdP, it must be configured to send an MFA claim.
Can I Ask for Extra Time to Prepare?
If your environment is particularly complex, the prospect of enforcing mandatory multifactor authentication across these portals may seem like an overwhelming undertaking, and you may be wondering if there is any way that you can get extra time to prepare. The good news is that you may be able to request a postponement. Microsoft is allowing customers with complex environments or technical barriers to postpone enforcement for their tenants until March 15, 2025.
Global Administrators can go to the Azure portal to postpone the start date of enforcement for their tenant as long as they have elevated access. However, Global Administrators must perform this action for every tenant for which they would like to postpone the enforcement start date. Of course, Microsoft recommends that all tenants set up MFA now because accounts that have access to admin portals like Azure are highly valuable to threat actors and could be at greater risk of compromise without this added layer of protection.
Agile IT Can Help You Prepare for Microsoft’s Mandatory Multifactor Authentication for Azure and Other Admin Portals
With phase one of Microsoft’s MFA mandate in place for Azure and other admin portals, Microsoft is taking a significant step to help ensure the security of its customers’ data. However, the transition to mandatory MFA in the Azure environment requires careful planning to ensure that your business’s operations are not impacted by this change. Fortunately, you do not have to go through this process alone
By partnering with an experienced MSP, you will have expert IT professionals by your side who can help walk you through the process of implementing MFA in your Azure environment, and they will ensure that your team is ready for the transition when the full mandate goes into effect next year.
If your organization needs help preparing for Microsoft’s MFA mandate in Azure, Entra, and Intune, reach out to Agile IT to find out how our experienced team can help ensure you’re ready for this transition.
Published on: .