This is based on an article from the Cyber Security Hub Newsletter.
As cyberattacks become more frequent, sophisticated, and damaging, protecting your digital assets has never been more vital. In line with Microsoft’s $20 billion investment in security over the next five years and their commitment to enhancing security across its services in 2024, Microsoft is now introducing mandatory multi-factor authentication (MFA) for all Azure sign-ins.
The Need for Enhanced Security
The foundation of Microsoft’s Secure Future Initiative (SFI) is safeguarding identities and secrets. Microsoft’s goal is to minimise the risk of unauthorised access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, as well as user and application authentication and authorisation. To achieve this, they are taking the following key actions:
- Protecting Identity Infrastructure: Implementing rapid and automatic rotation of signing and platform keys, secured with hardware storage and protection such as Hardware Security Modules (HSM) and confidential compute.
- Strengthening Identity Standards: Ensuring all applications adopt standard SDKs to enhance security.
- Securing User Accounts: Guaranteeing that all user accounts are safeguarded with securely managed, phishing-resistant MFA.
- Protecting Applications: Ensuring all applications use system-managed credentials, such as Managed Identity and Managed Certificates.
- Enhancing Identity Tokens: Securing 100% of identity tokens with stateful and durable validation.
- Partitioning Keys: Adopting more fine-grained partitioning of identity signing keys and platform keys.
- Preparing for Post-Quantum Cryptography: Ensuring identity and public key infrastructure (PKI) systems are ready for the challenges of a post-quantum cryptography world.
A key step in this initiative is requiring all Azure accounts to be protected with securely managed, phishing-resistant MFA. According to recent Microsoft research, MFA can block over 99.2% of account compromise attacks, making it one of the most effective security measures available.
Implementing Mandatory Azure MFA
Starting in the second half of 2024, Microsoft will begin rolling out mandatory MFA for all Azure users in phases, allowing customers time to plan their implementation:
- Phase 1: Beginning in October 2024, MFA will be required to sign in to the Azure portal, Microsoft Entra admin centre, and Intune admin centre. This will gradually extend to all tenants worldwide. Other Azure clients, such as Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools, will not be impacted during this phase.
- Phase 2: In early 2025, MFA enforcement will expand to Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools.
Starting today, Microsoft will notify all Entra global admins 60 days in advance via email and Azure Service Health Notifications about the enforcement start date and required actions. Additional notifications will be available through the Azure portal, Entra admin centre, and the M365 message centre.
For customers with complex environments or technical challenges, Microsoft is open to reviewing extended timeframes for mandatory MFA preparation.
Flexible MFA Options with Microsoft Entra
Organisations can enable their users to implement MFA through several options offered by Microsoft Entra:
- Microsoft Authenticator: Users can approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes, providing a robust layer of security.
- FIDO2 Security Keys: Access without usernames or passwords using external security keys that support Fast Identity Online (FIDO) standards.
- Certificate-Based Authentication: Enforces phishing-resistant MFA using personal identity verification (PIV) and common access card (CAC) with X.509 certificates for secure sign-ins.
- Passkeys: A phishing-resistant authentication method using Microsoft Authenticator.
- SMS or Voice Approval: While less secure, this method is still supported as described in Microsoft’s documentation here.
External MFA solutions and federated identity providers will remain compatible with Azure, provided they are configured to send an MFA claim.
To ensure a smooth transition and avoid business interruptions, Microsoft encourages all customers to begin planning for compliance as early as possible.