Microsoft To Mandate MFA for Accounts Signing In to the Azure Portal

Cybersecurity

On Tue, Aug 26, 2025, Microsoft announced a mandatory implementation of multifactor authentication (MFA) for all accounts accessing the Azure portal and related administrative centers. This policy, initially introduced in 2024, is designed to enhance security by adding an additional layer of identity verification across Azure and Microsoft 365 admin portals.

Policy Implementation and Timeline

Beginning in October 2024, MFA will be required for sign-ins to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center for any create, read, update, or delete (CRUD) operations. Full enforcement, including command-line interfaces (CLI), PowerShell, mobile applications, and Infrastructure as Code (IaC) tools, will commence on October 1, 2025, to further strengthen administrative security.

Research conducted by Microsoft indicates that MFA can block over 99.2 percent of account compromise attacks, marking it as one of the most effective measures against unauthorized access. This new enforcement will apply by default to critical administrative access points, reflecting Microsoft’s commitment to securing cloud resources for its users.

Scope of Enforcement

Enforcement will occur in two phases:

Phase 1 (October 2024 – February 2025):

• Azure portal sign-in for all CRUD operations.
• Microsoft Entra admin center sign-in for all CRUD operations.
• Microsoft Intune admin center sign-in for all CRUD operations.
• Microsoft 365 admin center sign-in requirements begin in February 2025.

Phase 1 does not include Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, or REST API endpoints.

Phase 2 (October 1, 2025):

• Azure CLI and Azure PowerShell for create, update, and delete operations.
• Azure mobile app for create, update, and delete operations.
• IaC tools and REST API endpoints for create, update, and delete operations.
• Read-only operations remain exempt.

Administrators using user accounts for scripted automation should transition to workload identities, such as managed identities or service principals, to avoid disruptions starting in Phase 2. Microsoft has provided further details on this transition here.

Affected Applications and Timelines

All user accounts accessing these applications must complete MFA upon enforcement. Break-glass and emergency-access accounts will also require MFA, and it is recommended to configure passkeys (FIDO2) or certificate-based authentication for these accounts. Workload identities are not impacted, but all user-based service accounts must comply.

The OAuth 2.0 Resource Owner Password Credentials (ROPC) flow is incompatible with MFA. Applications using MSAL’s ROPC APIs need to migrate to interactive or certificate-based flows. Developers should update any code that relies on AcquireTokenByUsernamePassword or UsernamePasswordCredential in Azure Identity, as per Microsoft’s migration guides for .NET, Go, Java, Node.js, and Python.

Preparation steps for organizations include:

• Verifying MFA configuration via the Microsoft Entra ID portal.
• Applying or updating Conditional Access policies (requires Entra ID P1/P2).
• Enabling security defaults if Conditional Access is unavailable.
• Migrating user-based service accounts to workload identities.

Organizations requiring more time can defer Phase 1 enforcement until September 30, 2025, by having a Global Administrator select a new start date at this link. Similarly, Phase 2 can be postponed until July 1, 2026, via this link.

Post-enforcement, Azure portal banners will inform administrators of required MFA, and sign-in logs will track MFA challenges. Microsoft emphasizes the importance of immediate MFA adoption to secure high-value administrative accounts and mitigate credential-based attack threats.