Cybersecurity
On Tue, Aug 26, 2025, Microsoft announced the enforcement of mandatory multifactor authentication (MFA) for all accounts accessing the Azure portal and related administrative centers. This policy aims to enhance security by adding an additional layer of identity verification across Azure and Microsoft 365 admin portals.
Policy Overview
Starting October 2024, MFA will be required for any create, read, update, or delete operations within the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Full enforcement across CLI, PowerShell, mobile, and Infrastructure as Code (IaC) tools will commence on October 1, 2025, further strengthening administrative security.
Research indicates that enabling MFA blocks over 99.2% of account compromise attacks, highlighting its effectiveness as a defense mechanism. Microsoft will enforce MFA by default for critical administrative access points to safeguard cloud resources.
Scope of Enforcement
Enforcement will occur in two phases:
- Phase 1 (October 2024 – February 2025)
- Azure portal sign-in for all CRUD operations.
- Microsoft Entra admin center sign-in for all CRUD operations.
- Microsoft Intune admin center sign-in for all CRUD operations.
- Microsoft 365 admin center sign-in requirements begin in February 2025.
- Phase 2 (October 1, 2025)
- Azure CLI and Azure PowerShell for create, update, and delete operations.
- Azure mobile app for create, update, and delete operations.
- IaC tools and REST API endpoints for create, update, and delete operations.
- Read-only operations remain exempt.
Administrators using user accounts for scripted automation should transition to workload identities, such as managed identities or service principals, to avoid disruptions when Phase 2 begins.
Affected Applications and Timelines
| Application Name | Enforcement Start |
|---|---|
| Azure portal | Second half of 2024 |
| Microsoft Entra admin center | Second half of 2024 |
| Microsoft Intune admin center | Second half of 2024 |
| Microsoft 365 admin center | February 2025 |
| Azure CLI & PowerShell | October 1, 2025 |
| Azure mobile app | October 1, 2025 |
| IaC tools & REST API | October 1, 2025 |
All user accounts accessing the listed applications must complete MFA upon enforcement. Break-glass and emergency-access accounts also require MFA; organizations are advised to configure passkeys (FIDO2) or certificate-based authentication for these accounts. Workload identities remain unaffected, but user-based service accounts must comply.
The OAuth 2.0 Resource Owner Password Credentials (ROPC) flow is incompatible with MFA. Applications using MSAL’s ROPC APIs must migrate to interactive or certificate-based flows. Developers should update code relying on AcquireTokenByUsernamePassword or UsernamePasswordCredential in Azure Identity, following Microsoft’s migration guides for .NET, Go, Java, Node.js, and Python.
Microsoft advises immediate MFA adoption to secure high-value administrative accounts and mitigate the threat of credential-based attacks. Organizations can prepare by:
- Verifying MFA configuration via the Microsoft Entra ID portal.
- Applying or updating Conditional Access policies (requires Entra ID P1/P2).
- Enabling security defaults if Conditional Access is unavailable.
- Migrating user-based service accounts to workload identities.
After enforcement, Azure portal banners will notify administrators of required MFA, and sign-in logs will identify MFA challenges.
-
Expense Apps Add Budgeting for Irregular Incomes
In an era where the gig economy is burgeoning, traditional budgeting methods ... -
-
-
