REW

Is Microsoft Forcing MFA 2024?

Published Aug 29, 2025 4 min read
On this page

Yes, Microsoft has been enforcing mandatory Multi-Factor Authentication (MFA) for specific administrative and developer-related sign-ins since the latter half of 2024, with additional phases continuing through 2025.

This rollout is part of Microsoft's "Secure Future Initiative" to combat rising cybersecurity threats and strengthen the security of its cloud platforms. The enforcement does not apply to all users but is specifically targeted at accounts accessing high-value administrative and development portals and tools.

For organizations already using stronger security policies, this change will have little impact, but others may need to take action to comply.

The phased rollout of mandatory MFA

To give customers time to prepare, Microsoft is enforcing mandatory MFA through a series of phases.

Phase 1: Commenced in 2024

  • Target: Admin portals for Azure, Entra ID, and Intune.
  • Timeline: Began October 15, 2024, with a gradual rollout to all tenants worldwide.
  • Action Required: Users signing into the Azure portal, Microsoft Entra admin center, and Intune admin center to perform Create, Read, Update, or Delete (CRUD) operations must use MFA.
  • What was not impacted: The initial phase did not affect other Azure clients like the Azure Command Line Interface (CLI), Azure PowerShell, or Infrastructure as Code (IaC) tools.

Phase 2: Commencing in 2025

  • Target: Azure CLI, PowerShell, and other developer tools.
  • Timeline: A gradual enforcement of MFA for sign-in to these tools will begin in early 2025, specifically starting October 1, 2025.
  • Action Required: Users performing CRUD operations via Azure CLI, PowerShell, the Azure mobile app, IaC tools, and REST API endpoints will require MFA.
  • What was not impacted: Read-only operations and workload identities (like managed identities and service principals) will not be impacted.

The underlying reasons for the policy change

Microsoft is mandating MFA to address the overwhelming threat posed by compromised credentials.

  • Combating identity-based attacks: Research shows that MFA can block more than 99.2% of account compromise attacks, which often start with stolen passwords.
  • Secure Future Initiative: This effort is a core part of Microsoft's broader security program, which includes investing $20 billion in security enhancements over five years.
  • Boosting security for all: By enforcing a baseline security measure like MFA, Microsoft is raising the security standard across its entire user base, protecting all customers from prevalent threats.

What this means for different types of users

For administrators

  • Elevated access: Admins must ensure they have an MFA method registered to avoid being locked out of administrative portals.
  • Postponement option: Tenants with complex environments can request a postponement of Phase 1 enforcement until September 30, 2025. Admins must have elevated access to manage this.

For end users and developers

  • End users: The new requirement does not impact end users accessing apps and services hosted on Azure unless they also sign into the admin portals or use the specified developer tools.
  • Service accounts and automation: Any scripts or automated tasks that use user identities as service accounts must be updated. Microsoft recommends migrating these to workload identities, which are not impacted by the enforcement.

Practical steps for organizations

1. Assess your current posture

  • Identify gaps: Use Microsoft's reporting tools, such as the Multifactor Authentication Gaps workbook in Entra ID, to find users who are not yet using MFA for administrative access.
  • Review privileged accounts: Pay special attention to "break glass" or emergency access accounts, which must also comply with the new MFA requirements.

2. Plan your implementation

  • Use Conditional Access: Organizations with an Entra ID Premium license can use Conditional Access policies for more granular control over MFA. This allows for fine-tuning based on user roles, location, and application.
  • Leverage Security Defaults: For those without premium licenses, Microsoft's Security Defaults offer a simple, preconfigured way to enforce MFA and other foundational security settings across all users.
  • Migrate legacy policies: Microsoft is retiring legacy MFA and Self-Service Password Reset (SSPR) policies in favor of a unified Authentication methods policy, which organizations should migrate to by September 2025.

3. Communicate and educate

  • Inform users: Clearly communicate the upcoming changes to your administrators and developers to ensure they register an MFA method before the enforcement date.
  • Provide training: Offer guidance on how to set up and use different MFA methods, such as the Microsoft Authenticator app, to ensure a smooth transition.
Enjoyed this article? Share it with a friend.