{"id":25983,"date":"2025-09-29T10:23:04","date_gmt":"2025-09-29T18:23:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2025\/09\/29\/news-19703\/"},"modified":"2025-09-29T10:23:04","modified_gmt":"2025-09-29T18:23:04","slug":"news-19703","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2025\/09\/29\/news-19703\/","title":{"rendered":"Azure mandatory multifactor authentication: Phase 2 starting in October 2025"},"content":{"rendered":"<p><strong>Credit to Author: Joy Shah and Neha Kulkarni| Date: Fri, 05 Sep 2025 15:00:00 +0000<\/strong><\/p>\n<p class=\"wp-block-paragraph\">As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical, and at Microsoft, your security is our top priority.&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/08\/20\/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft research<\/a>&nbsp;shows that multi-factor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available.<\/p>\n<p class=\"wp-block-paragraph\">As&nbsp;<a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-mandatory-multi-factor-authentication-for-azure-sign-in\/\" target=\"_blank\" rel=\"noreferrer noopener\">announced in August 2024<\/a>, Azure started to implement mandatory MFA for Azure Public Cloud sign-ins. By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats as part of Microsoft\u2019s commitment to enhance security for all customers, taking one step closer to a more secure future.<\/p>\n<p class=\"wp-block-paragraph\">As previously announced, Azure MFA enforcement was rolled out gradually in phases to provide customers with enough time to plan and execute their implementations:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Phase 1:<\/strong>\u00a0MFA enforcement on Azure Portal, Microsoft Entra admin center, and Intune admin center sign-ins.<\/li>\n<li class=\"wp-block-list-item\"><strong>Phase 2:<\/strong>\u00a0Gradual enforcement for MFA requirement for users performing Azure resource management operations through any client (including but not limited to: Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools).<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">We are proud to announce that multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025. Now, Azure is announcing the start of Phase 2 MFA enforcement at the Azure Resource Manager layer, starting<strong>&nbsp;October 1, 2025<\/strong>. Phase 2 enforcement will be gradually applied across Azure tenants through&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/azuregovernanceandmanagementblog\/update-on-mandatory-multi-factor-authentication-for-azure-sign-in\/AKA.MS\/AZUREPOLICY\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Policy<\/a>, following Microsoft&nbsp;<a href=\"https:\/\/azure.microsoft.com\/blog\/advancing-safe-deployment-practices\/\" target=\"_blank\" rel=\"noreferrer noopener\">safe deployment practices<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">Starting this week, Microsoft sent notices to all Microsoft Entra Global Administrators by email and through&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/service-health\/service-health-notifications-properties\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Service Health notifications<\/a>&nbsp;to notify the start date of enforcement and how to prepare for upcoming MFA enforcement.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-mandatory-multifactor-authentication?tabs=dotnet#prepare-for-mandatory-mfa-enforcement\">Prepare for mandatory MFA enforcement<\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"customer-impact\">Customer impact<\/h2>\n<p class=\"wp-block-paragraph\">Users will be required to authenticate with MFA before performing resource management operations.&nbsp;Workload identities, such as managed identities and service principals, aren\u2019t impacted by&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-mandatory-multifactor-authentication?tabs=dotnet#enforcement-phases\" target=\"_blank\" rel=\"noreferrer noopener\">either phase<\/a>&nbsp;of this MFA enforcement.<\/p>\n<p class=\"wp-block-paragraph\">Learn more about the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-mandatory-multifactor-authentication?tabs=dotnet#scope-of-enforcement\" target=\"_blank\" rel=\"noreferrer noopener\">scope of enforcement<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-to-prepare\">How to prepare<\/h2>\n<h3 class=\"wp-block-heading\" id=\"1-enable-mfa-for-your-users\">1. Enable MFA for your users<\/h3>\n<p class=\"wp-block-paragraph\">To ensure your users can perform resource management actions,&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-mandatory-multifactor-authentication?tabs=dotnet#prepare-for-mandatory-mfa-enforcement\" target=\"_blank\" rel=\"noreferrer noopener\">enable MFA for your users<\/a>&nbsp;by&nbsp;<strong>October 1, 2025<\/strong>.&nbsp;To identify which users in your environment are set up for mandatory MFA, follow&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/how-to-mandatory-multifactor-authentication\" target=\"_blank\" rel=\"noreferrer noopener\">these steps<\/a>.&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"2-understand-potential-impact\">2. Understand potential impact<\/h3>\n<p class=\"wp-block-paragraph\">To understand potential impact ahead of Phase 2 enforcement,&nbsp;<a href=\"https:\/\/aka.ms\/MFAforAzureSelfEnforce\" target=\"_blank\" rel=\"noreferrer noopener\">assign built-in Azure Policy definitions<\/a>&nbsp;to block resource management operations if the user has not authenticated with MFA.<\/p>\n<p class=\"wp-block-paragraph\">Customers can gradually apply this enforcement across different resource hierarchy scopes, resource types, or regions.<\/p>\n<h3 class=\"wp-block-heading\" id=\"3-update-your-azure-cli-and-powershell-clients\">3. Update your Azure CLI and PowerShell clients<\/h3>\n<p class=\"wp-block-paragraph\">For the best compatibility experience, users in your tenant should use Azure CLI version 2.76 and Azure PowerShell version 14.3 or later.<\/p>\n<h2 class=\"wp-block-heading\" id=\"next-steps-for-multi-factor-authentication-for-azure-sign-in\">Next steps for multi-factor authentication for Azure sign-in<\/h2>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">To ensure your users can perform resource management actions,\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-mandatory-multifactor-authentication?tabs=dotnet#prepare-for-mandatory-mfa-enforcement\" target=\"_blank\" rel=\"noreferrer noopener\">enable MFA for your users<\/a>\u00a0by\u00a0<strong>October 1, 2025<\/strong>.\u00a0<\/li>\n<li class=\"wp-block-list-item\">To understand the potential impact, apply a\u00a0<a href=\"https:\/\/aka.ms\/MFAforAzureSelfEnforce\" target=\"_blank\" rel=\"noreferrer noopener\">built-in Azure Policy definition<\/a>\u00a0in\u00a0<strong>audit or enforcement mode<\/strong>.<\/li>\n<li class=\"wp-block-list-item\">For the best compatibility experience, users in your tenant should use<strong>\u00a0Azure CLI version 2.76<\/strong>\u00a0and\u00a0<strong>Azure PowerShell version 14.3<\/strong>\u00a0or\u00a0later.<\/li>\n<li class=\"wp-block-list-item\">If you can\u2019t enable MFA for your tenant by October 1, 2025, the\u00a0<strong>Global Administrator<\/strong>\u00a0for your tenant can\u00a0<a href=\"https:\/\/aka.ms\/postponePhase2MFA\" target=\"_blank\" rel=\"noreferrer noopener\">postpone the enforcement date through Azure Portal<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Keep an eye out for further communications through the previously\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-mandatory-multifactor-authentication#notification-channels\" target=\"_blank\" rel=\"noreferrer noopener\">communicated notification channels<\/a>.<\/li>\n<\/ul>\n<p>The post <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-mandatory-multifactor-authentication-phase-2-starting-in-october-2025\/\">Azure mandatory multifactor authentication: Phase 2 starting in October 2025<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-mandatory-multifactor-authentication-phase-2-starting-in-october-2025\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Joy Shah and Neha Kulkarni| Date: Fri, 05 Sep 2025 15:00:00 +0000<\/strong><\/p>\n<p>Microsoft Azure is announcing the start of Phase 2 multi-factor authentication enforcement at the Azure Resource Manager layer, starting October 1, 2025.<\/p>\n<p>The post <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-mandatory-multifactor-authentication-phase-2-starting-in-october-2025\/\">Azure mandatory multifactor authentication: Phase 2 starting in October 2025<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-25983","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25983"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25983\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}