Starting this July, Microsoft’s Azure platform is set to initiate a phased rollout of mandate multi-factor authentication (MFA) for all users, solidifying tenant-level security protocols. MFA, a staple in cloud service security, introduces an added layer of verification beyond the usual username and password, leveraging a combination of knowledge-based (passwords or PINs), possession-based (a mobile device or token), or inherence-based (biometric verification) factors. This move aims to significantly mitigate potential cyber threats and unauthorized access scenarios, especially in today’s expanding remote work environment.
The gradual deployment strategy is designed to ensure minimal disruption, with Azure providing personalized rollout updates via email and Azure Portal notifications. Preemptive adoption of MFA is encouraged through the use of the Microsoft Entra MFA wizard, empowering users to immediately elevate their security posture.
Microsoft has underscored the critical importance of MFA against the backdrop of increasing and evolving cyber attacks. A staggering 99.9% of accounts breached in recent findings were not MFA-protected, illuminating the efficacy of MFA in preventing more than 99.2% of potential account compromises. As hybrid work models proliferate and digital transformation accelerates, the risk factors for cyber intrusions broaden, making the case for stringent MFA implementation even more compelling.
MFA also plays a pivotal role in adhering to numerous security frameworks and regulations, including PCI DSS, HIPAA, GDPR, and NIST standards, marking it as an essential facet of comprehensive identity and access management strategies.
Microsoft encourages immediate action to adopt MFA, offering it as a free, integral security measure for Azure tenants. For guidance on setting up MFA and further insights on enhancing your security infrastructure, resources are available through the Microsoft Learn platform and documentation on Microsoft’s Secure Future Initiative.
Good to know
🔹 Scope of Implementation
The MFA requirement will extend to Azure Portal, CLI, PowerShell, and Terraform for administering Azure resources.
🔹 User Impact
Only affects those signing in to administer Azure resources, including students, guest users, and other end-users. Hosting applications/sites on Azure will not be impacted.
🔹 Exclusions
Accounts utilized for automation, such as service principals, managed identities, and workload identities, are exempt.
🔹 Timeline
A phased rollout will begin in July 2024, initially for the portal, followed by CLI, PowerShell, and Terraform.
🔹 MFA Methods
All Entra ID MFA methods are supported.
🔹 Exceptions
There is currently no opt-out option available.
🔹 Communication
Microsoft will send detailed timelines and information via official emails to raise awareness.
🔹 Guidelines for rolling out MFA
Initiate enrolling Azure users in MFA. For users with E5 (Entra ID P2), a simple configuration of the MFA registration policy is encouraged. Users without E5 can create a conditional access policy requiring MFA (if they have P1) and monitor MFA registration through the provided report link.
Also, provided are PowerShell scripts from Merrill Fernando for quick reporting and email templates for user communication regarding MFA.
Recommendation
Given that Microsoft’s modification also impacts break-glass accounts, we recommend the following:
- Protect the first break-glass account with a FIDO2 key -> Refer to this blog post
- Secure the second break-glass account with TOTP
Additionally, service account users, which may now be subject to mandatory MFA, should be transitioned to Managed Identities if the resource resides within your Azure Tenant, or utilize Service Principals otherwise.
Important to understand
I consider a service user to be an Entra ID user with a password and not a service principal (app registration)
It’s crucial to reiterate
User sign-ins to, for instance, Microsoft 365 applications will not be subjected to mandatory MFA by Microsoft’s changes. Nonetheless, it’s strongly recommended to have relevant Conditional Access Policies in place (minimum Entra P1 plan) or Security Defaults if the Microsoft Entra Tenant is on the free plan.