Microsoft to roll out mandatory MFA for Azure

Microsoft will institute mandatory MFA for Azure cloud services as part of its Secure Future Initiative, which follows recent high-profile data breaches and criticism of the company's security practices.

In a blog post on Friday, Naj Shahid, principal product manager at Microsoft, and Bill DeForeest, principal product manager for Azure Compute, announced Microsoft will require MFA for all Azure sign-ins beginning in October.

The gradual process will be rolled in two phases. First, customers will be required to implement MFA for Azure Portal, Microsoft Entra admin center and Intune admin center. Then, in early 2025, it will extend to include Azure Command Line Interface, Azure Powershell, the Azure mobile app and infrastructure as code tools.

Shahid and DeForeest stressed that the new requirement is part of its Secure Future Initiative, which was introduced last year in response to high-profile security incidents. For example, in January, the tech giant disclosed a data breach in which a Russian-state affiliated threat actor known as Midnight Blizzard compromised Microsoft's corporate network and accessed the email accounts of some senior executives. Microsoft later revealed Midnight Blizzard gained initial access by breaching a legacy non-production test tenant account that did not have MFA enabled.

Shahid and DeForeest referred to Microsoft research that showed MFA can block more than 99.2% of account compromise attacks. In May, following the attack on the tenant account, Microsoft discussed requiring MFA by default across Microsoft Entra ID tenants. Now the requirement will extend to Azure as well.

"Ensuring Azure accounts are protected with securely managed, phishing-resistant multifactor authentication is a key action we are taking," they wrote in the blog post.

The process will begin with 60-day advance notifications sent to administrators with options to extend time for customers that fit certain qualifications. Customers will implement the new MFA mandate through Entra, which provides authentication and authorization services. Shahid and DeForeest listed several ways for users to enable MFA for Azure through Microsoft Entra including using Microsoft Authenticator, FIDO2 security keys, passkeys and certificate-based authentication.

Microsoft also offers a SMS-based or voice approval options for MFA but warned they are the least secure version.

"As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical," the blog read.

Another massive attack related to a lack of MFA protection involved cloud storage and analytics vendor Snowflake. In May, a threat actor used stolen credentials and targeted Snowflake accounts that did not have MFA enabled, which led to data breaches against Ticketmaster, AT&T and Santander Bank.

Todd Thiemann, an analyst at TechTarget's Enterprise Strategy Group (ESG), stressed how the industry has increasingly recognized the benefits of MFA to improve security postures. He cited recent ESG research that showed 80% of enterprises made MFA mandatory for their workforce while 94% mandated it for privileged IT workers like admins.

"The recent Snowflake episode where individual customer accounts were breached had its root in compromised customer credentials, and that would have been avoided if the customers had turned on MFA. Microsoft probably had initiatives in motion to amp MFA for Azure, and I expect that the industry awareness following those news events accelerated the MFA plans," Thiemann said. "Microsoft requiring MFA for Azure is an important step in improving security and countering credential compromise."

Alex Cox, director of threat intelligence at LastPass, discussed changes that the password management vendor implemented following a breach in 2022. During Black Hat 2024 earlier this month, he told TechTarget Editorial that MFA was a big focus of bolstering its security posture.

"We're making sure we're doing things considered to be the world class approaches to problems, [such as] deploying MFA everywhere and using hardware authentication," Cox said.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.