Home > Blog > Microsoft MFA Enforcement Is Here: Securing Your Azure and Microsoft 365 Administrative Portals

Microsoft MFA Enforcement Is Here: Securing Your Azure and Microsoft 365 Administrative Portals

Microsoft is moving toward mandatory Multifactor Authentication for Microsoft Azure and other critical administrative portals through 2025. This heightened focus on identity protection is critical for keeping your software compliant and secure in a modern, cloud-centric landscape.

What Is MFA, and Why Is It Essential?

Multifactor Authentication (MFA) is a process in which a user is prompted for additional forms of identification during a sign-in event. It serves as an extra layer of verification beyond your username and password. Common examples include:

• Something you know (a password or fact about yourself)
• Something you have (a hardware token or mobile authenticator app)
• Something you are (biometric data, such as a fingerprint or facial recognition)

Microsoft estimates that MFA can help prevent up to 99% of identity-based threats, proving its effectiveness in deterring cyberattacks. Here are some additional resources on the subject from Microsoft:

• How MFA Works in Microsoft Entra ID (formerly Azure AD)
• Getting Started with Microsoft Entra ID MFA

Real-World Examples Underscore MFA’s Importance

Here are two recent cases where MFA could have assisted in thwarting cyberattacks:

2024 UnitedHealth Group (Change Healthcare) Ransomware Attack

In February 2024, Change Healthcare (part of UnitedHealth Group) experienced a ransomware attack by the BlackCat (ALPHV) group. Attackers exploited a remote server that did not have MFA, allowing them to deploy ransomware and disrupt healthcare services nationwide. Around 100 million individuals’ sensitive data, including medical records and Social Security numbers, was compromised. The organization incurred costs exceeding $870 million and paid a $22 million ransom.

2022 Breach at Uber

According to TechCrunch, the hacker behind the breach said he targeted Uber because of its weak security and that he used a popular social engineering tactic to compromise an employee's Slack account. This breach showed how quickly attackers can misuse or steal credentials when organizations do not have strong, layered authentication measures.

Microsoft MFA Enforcement Timeline

Microsoft’s enforcement for administrative portals will occur in two phases:

1. Phase 1 (February 2025)

In this phase, you will notice mandatory MFA for sign-ins to the Microsoft 365 admin center. At this point, Azure CLI, Azure PowerShell, and the Azure mobile app are not yet subject to enforcement.

2. Phase 2 (Late 2025)

Mandatory MFA for Azure CLI, Azure PowerShell, the Azure mobile app, and Infrastructure as Code (IaC) tools is coming at a date that has yet to be announced. Organizations operating user accounts as service accounts in Microsoft Entra ID should transition to more secure, cloud-based workload identities.

Adopting MFA now ensures that organizations remain compliant and resilient against emerging threats.

Phishing-Resistant MFA Methods

To counter sophisticated cyberattacks, organizations should deploy phishing-resistant MFA options, such as:

• FIDO2 Security Keys that rely on physical presence and cryptographic validation
• Microsoft Authenticator App with number matching and additional context
• Passwordless Solutions that pair biometrics with hardware or device-based credentials to eliminate traditional passwords

These measures help mitigate risks posed by social engineering and other advanced attacks.

Beyond Admin Portals: Enforce MFA for All Users

Although Microsoft’s current enforcement schedule targets administrative accounts, it is wise to implement MFA for every user within your organization to ensure maximum protection. Applying phishing-resistant MFA across the board:

• Creates a consistent security posture, minimizing the risk of compromised user accounts
• Prepares you for any future expansions of Microsoft’s MFA enforcement requirements
• Helps protect sensitive data, whether accessed by privileged or standard users

How The Stoneridge Team Can Help

Implementing phishing-resistant MFA for admins and all other users can be straightforward with the right guidance. When you work with the Stoneridge team, you can take advantage of the following offers:

• Best Practice Recommendations for configuring FIDO2 keys, passwordless sign-in, or enhanced authenticator app usage
• Streamlined Deployment to ensure minimal interruption of your daily operations
• Continuous Compliance Support, aligning your MFA setup with regulations and evolving Microsoft requirements

Microsoft MFA Enforcement: Take Action Today

As MFA enforcement deadlines approach, now is the time to strengthen your overall security posture:

1. Enable MFA for All Users: Start with admins, but don’t stop there. Protect every account in your organization.
2. Transition Service Accounts: Move away from user credentials for automated services, opting for secure workload identities.
3. Adopt Phishing-Resistant Methods: Use FIDO2 keys, app-based number matching, or passwordless sign-ins.
4. Stay Updated: Follow Microsoft’s documentation for the latest resources and guidance.

Implementing MFA now will help you create a strong defense in protecting your organization's data, reputation, and bottom line. Talk to the Stoneridge team for tailored support in deploying MFA to safeguard your environment.

Under the terms of this license, you are authorized to share and redistribute the content across various mediums, subject to adherence to the specified conditions: you must provide proper attribution to Stoneridge as the original creator in a manner that does not imply their endorsement of your use, the material is to be utilized solely for non-commercial purposes, and alterations, modifications, or derivative works based on the original material are strictly prohibited.

Responsibility rests with the licensee to ensure that their use of the material does not violate any other rights.