MFA Will Be Mandatory for Azure Logins – Are You Ready?

Microsoft has announced that they are enabling a feature that enforces Multi-Factor Authentication (MFA) for all Azure logins. This applies to everyone except Workload Identities. Therefore, MFA authentication is required for accounts that previously did not require it, such as Break the Glass/Emergency Access Accounts, even if they were excluded from Conditional Access Policies.

What is changing and when?
The changes started to roll out gradually across all Azure environments in July 2024. (Phase 1). In both phases, Global Admins will receive a notification 60 days before the change via email and Azure Service Notifications, meaning the change will take effect no earlier than September 2024 (Phase 1).

• Phase 1: July 2024

• MFA becomes mandatory for logging into the Azure portal.

• Does not yet affect Azure CLI, Azure PowerShell, or IaC tools.

• Phase 2: Early 2025

• MFA requirement expands to cover Azure CLI, Azure PowerShell, and IaC tools.

What does this mean in practice?
Even if an account is excluded from Conditional Access Policies, MFA authentication will still be enforced. This also applies to Break the Glass/Emergency Access Accounts. It is recommended to implement FIDO2 (or certificate-based) authentication for these accounts, which satisfies Azure's MFA requirement but does not rely on Microsoft Entra multifactor authentication services. If normal user accounts are used in automation and those accounts log in to Azure, the automations will stop functioning once the change takes effect.

This change does not affect end-users who use managed applications, websites, or services in Azure but do not log into the Azure portal, CLI, or PowerShell. End-user authentication requirements will continue to be managed by the owners of the applications, websites, or services. Note that if MFA is already in use within the organization, this change will not affect users who already have MFA enabled.

How to prepare for the change?
The impact of the change should be assessed in advance to avoid unnecessary issues.
Check the following and make the necessary changes:

• Do you have accounts where MFA is not enabled? -> Enable MFA.

• Are regular accounts used in automations? -> Implement Workload Identity in automations.

• Implement FIDO2 keys for Break the Glass/Emergency Access Accounts.

Microsoft's official announcement can be found here.

We can help!

If you have any concerns, feel free to contact us for further discussion.

Terms

• FIDO2 – A physical 'key' used for authentication. A phishing-resistant authentication method that does not depend on Microsoft Entra multifactor authentication services.

• Break the Glass Account – An account with Global Administrator role, used only in extreme emergencies.

• Emergency Access Account – Same as Break the Glass Account.

• Conditional Access Policy (CA Policy) – Policies that define conditions for accessing resources.

• Multi-Factor Authentication (MFA) – Multi-step authentication that provides additional security to an identity. Used in, for example, Finnish banking services.