Microsoft Notifies Users of the Mandatory 2FA Deadline

A recent cyberattack on Microsoft’s Azure public cloud computing infrastructure resulted in a multi-hour outage. Although a recently announced obligatory two-factor authentication login requirement would not have stopped that distributed denial of service attack, it will improve user data and identity protection.

As part of Microsoft’s $20 billion security initiative, principal product managers Naj Shahid and Bill DeForeest of Azure Computer confirmed on August 15 that “we are introducing mandatory multifactor authentication for all Azure sign-ins.” The notification alerts administrators to the impending requirement for 2FA to access the Azure portal, Microsoft Entra admin centre, and Intune admin centre starting in October and gives them a 60-day heads-up.

Although Microsoft’s Secure Future Initiative is a significant financial commitment, it is necessary. “Protecting your digital assets has never been more critical,” Shahid and DeForeest stated, “as cyberattacks become more frequent, sophisticated, and damaging.” Therefore, it should not be surprising that one of SFI’s main tenets is its dedication to maintaining both identities and secrets. By putting best-in-class standards into place and upholding them across the board for user and application authentication and authorization, as well as identity and secret infrastructure, Microsoft said it hopes to lower the risk of unauthorised access. which is the purpose of the new mandate.

The notice makes reference to new data from Microsoft that shows MFA is capable of blocking over 99.2% of account compromise attempts. It is crucial to safeguard Azure accounts using a 2FA that is phishing-resistant and securely maintained. Microsoft has declared that it will carry out the following measures:

• Protecting identity infrastructure, signing, and platform keys.
• Strengthening identity standards and driving adoption.
• Ensure 100% of user accounts are protected with multifactor authentication.
• Ensuring 100% of applications are protected with system-managed credentials.
• Ensuring 100% of identity tokens are protected with stateful and durable validation.
• Adopting more fine-grained partitioning of identity signing keys and platform keys.
• Ensuring identity and public key infrastructure systems are ready for a post-quantum cryptography world.

Microsoft stated it will “not only reduce the risk of account compromise and data breach for our customers but also help organizations comply with several security standards and regulations” by requiring 2FA for users to access Azure. Microsoft has announced that it will introduce the new authentication requirement in two phases, beginning in October, so that people may prepare ahead.

The first phase, which begins in October, mandates the usage of 2FA for the Azure portal, Microsoft Entra admin centre, and Intune admin centre logins. All tenants will eventually be subject to this action. Beginning on August 15, Microsoft should begin sending out 60-day notices to global administrators that include enforcement data and necessary actions. Phase two will see the progressive implementation of 2FA for the Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code beginning in early 2025. Microsoft has also stated that longer timeframes will be offered to clients with complicated environments or those who encounter technical difficulties.

To be clear, end users who are using apps and services but are not logging into the Azure portal, CLI, or PowerShell will not be forced to use 2FA unless specifically requested to do so by the service providers.

“We appreciate your cooperation and commitment to enhancing the security of your Azure resources,” Microsoft stated. “By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats.” For inquiries, click here.