In a significant move to enhance the security of its cloud platform, Microsoft has announced that it will begin enforcing multi-factor authentication (MFA) for all Azure resource management actions starting in October. This security enhancement, a core component of Microsoft’s broader Secure Future Initiative (SFI), is designed to provide a more robust defense against unauthorized access attempts and align with industry-wide best practices for identity protection. The gradual rollout across tenants worldwide will apply to all users and is a critical step in securing the Azure ecosystem.
The new enforcement will impact a range of tools used for managing Azure resources. Users will be required to enable MFA on their accounts when performing “Create, Update, or Delete” operations through the Azure CLI, Azure PowerShell, the Azure mobile app, Infrastructure as Code (IaC) tools, and REST API endpoints. This also includes scripts and automation that use user identities, which are often overlooked in security protocols. By extending the MFA requirement to these apects of resource management, Microsoft aims to close potential security gaps that could be exploited by malicious actors.
To ensure a smooth transition and avoid compatibility issues, Microsoft is advising users to update their tools to the latest versions. Specifically, users should upgrade Azure CLI to version 2.76 or later and Azure PowerShell to version 14.3 or later. This proactive measure will help ensure that the tools are ready to handle the new MFA requirements without causing disruptions to workflows. For organizations that require more time to prepare for compliance, global administrators can postpone the enforcement date until July 2026, offering a window to fully implement and test their security preparations.
This initiative is part of a series of security-focused announcements from Microsoft over the past year. In August 2024, the company urged Entra global admins to enable MFA for their tenants to prevent users from losing access to administrative portals. This was followed by a May 2024 announcement to enforce MFA for all users administering resources on Azure and a November 2024 rollout of Conditional Access policies for all admins. The consistent push for MFA demonstrates Microsoft’s commitment to making a more secure environment for all its customers.
The importance of this change is underscored by Microsoft’s own research, which highlights the effectiveness of MFA in preventing account compromise. A Microsoft study found that 99.99% of MFA-enabled accounts are resistant to hacking attempts, and MFA can reduce the risk of compromise by nearly 99%, even when an attacker has stolen credentials. The company’s Secure Future Initiative is a comprehensive, multi-year project to improve security, and its influence is even visible in other Microsoft-owned services, such as GitHub, which began enforcing two-factor authentication for all developers in January 2024.
Reference: