Microsoft is mandating multifactor authentication (MFA) for key administrative and user-facing experiences across Microsoft Entra ID (formerly Azure AD) to mitigate identity-based attacks. This change is part of a broader strategy to reduce risks stemming from compromised credentials — still the most common initial attack vector in breaches today.
The enforcement will roll out gradually, with increasing coverage and stricter access control policies applied to various user types and applications. If you’re managing identities or designing authentication flows, this affects you.
Table of Contents
The prompts
You may have already encountered these prompts in your Microsoft Entra tenant. The first screen is a Portal MFA Enforcement notice, informing users that Microsoft now requires Multifactor Authentication (MFA) to access key admin portals like Azure, Microsoft Entra admin center, and Intune. If MFA isn’t already configured, users are redirected to set it up. This is part of Microsoft’s move toward secure-by-default identity practices.
The second screen offers a Postpone MFA Enforcement option, allowing tenant administrators to delay enforcement until a specified date (e.g., June 22, 2025). Choosing this requires elevated access and involves setting up enforcement prerequisites, after which MFA will be automatically required at the postponed date.
If you see these prompts, you can either proceed with configuring MFA immediately or use the postponement workflow to buy time — but only until the set deadline. Postponement should only be used strategically, as enforcement is inevitable and affects all human user accounts accessing administrative services. Prepare now by ensuring your users are MFA-ready and automation accounts are transitioned to workload identities.
Why Mandatory MFA?
Microsoft’s internal telemetry shows that MFA can prevent over 99.2% of identity compromise attacks. Despite this, a significant number of administrative and privileged users still sign in with only a password — creating a large attack surface. To close this gap, Microsoft is moving toward secure-by-default access, which includes:
- Enforcing MFA for sensitive operations and admin portals
- Blocking legacy authentication methods that bypass MFA
- Encouraging passwordless options such as FIDO2 passkeys and certificate-based authentication (CBA)
Enforcement Scope Breakdown
The table below summarizes when and where mandatory MFA will apply:
| Scope | Details | Enforcement Timeline |
|---|---|---|
| Admin Portals | Azure Portal, Microsoft Entra Admin Center, Microsoft Intune Admin Center | Started H2 2024 |
| Developer Tools | Azure CLI, Azure PowerShell, Azure mobile app, REST APIs | Starting July 1, 2025 |
| Account Types | Human identities performing any CRUD operations in affected apps. Includes global admins, contributors, and developers. | Phased rollout from 2024 |
| Break Glass Accounts | Emergency access accounts must now comply with MFA using methods such as FIDO2 or CBA. | Immediate |
| Automation Accounts | Human user identities used for automation are subject to enforcement. Migrate to workload identities (service principals/managed identities) to avoid disruption. | Recommended before July 2025 |
| Workload Identities | Service principals and managed identities are exempt. | Not affected |
Technical Considerations
1. Authentication Methods that Meet MFA Requirements
| Method | Meets MFA Requirement | Notes |
|---|---|---|
| Microsoft Authenticator (Push/TOTP) | ✅ | Must be registered for the user in advance |
| FIDO2 Security Keys / Passkeys | ✅ | Strongest method, phishing resistant |
| Certificate-Based Authentication (CBA) | ✅ | Ideal for break glass or device-tied authentication |
| SMS / Voice Call | ✅ (but not recommended) | Legacy method; less secure |
| Username + Password | ❌ | No longer sufficient for admin access |
External Authentication Methods
To meet MFA requirements, organizations can utilize External Authentication Methods (EAM) in Microsoft Entra ID. EAM enables the integration of third-party MFA providers—such as Cisco Duo, Ping Identity, or TrustBuilder—directly into Entra ID. This allows users to authenticate using their existing MFA solutions, providing flexibility and consistency across platforms. EAMs can satisfy MFA requirements for Conditional Access policies, Privileged Identity Management (PIM) role activations, and Identity Protection risk-based policies. To implement EAM, administrators need to configure the external provider within the Entra admin center, ensuring that the provider issues the appropriate claims to satisfy MFA requirements. This approach is particularly beneficial for organizations seeking to maintain a unified authentication experience while adhering to Microsoft’s security mandates.
Read by previous step-by-step post on this feature.
2. Conditional Access Impact
Conditional Access (CA) policies remain crucial for managing MFA behavior. Enforcement is independent of CA but coexists. Best practices:
- Enforce MFA via Conditional Access for user segments before enforcement kicks in
- Require compliant or hybrid-joined devices for high-risk access
- Enable sign-in risk policies to require MFA dynamically
3. Programmatic Access and Automation
Programmatic sign-ins using user accounts (e.g., with az login or scripts using Connect-AzAccount) will fail if MFA is not satisfied. Options:
- Convert to service principals with certificate or federated credentials
- Use managed identities for Azure resources
- Re-architect scripts to avoid interactive human sign-ins
How to Prepare
Inventory Access
Identify accounts used to access administrative interfaces, scripts, or APIs. Check if they already use MFA or passwordless.
Update Emergency Access Accounts
Microsoft now mandates that break glass accounts use at least one phishing-resistant MFA method. Register a FIDO2 key or configure CBA.
Review Sign-In Logs
Use the Microsoft Entra sign-in logs to detect which users are not using MFA. Cross-reference with audit logs to assess potential exposure.
Implement MFA Registration Policy
Use the authentication methods policy to enforce registration of FIDO2, Authenticator App, or CBA during the user’s sign-in process.
Test Now, Avoid Downtime Later
Set up CA policies that simulate enforcement conditions before the actual deadline. Identify who would be blocked and why.
See here for the full article
Final Thoughts
This enforcement marks a significant shift from opt-in to mandatory security. Organizations that proactively implemented Conditional Access and strong authentication will likely face minimal disruption. However, those relying on legacy scripts or non-MFA admin workflows must act now.
Moving forward, expect Microsoft to tighten the secure-by-default posture — enforcing identity protection policies and removing fallback mechanisms like SMS or voice-based MFA.
Embrace modern, phishing-resistant authentication. The sooner your identity fabric aligns with these standards, the better prepared you’ll be for the future of secure cloud operations.
