Mandatory MFA is Coming to Microsoft Azure
Microsoft is making multi-factor authentication (MFA) mandatory for all sign-ins to Azure cloud accounts, the latest step in the IT giant’s efforts to infuse better security throughout their product and services portfolio.
The company is kicking off the effort now, sending out 60-day advance notices to all global administrators of its Entra security suite through emails and Azure Service Health Notifications to let them know when the enforcement of the requirement kicks in. Other notifications will be sent via the Azure portal, Entra administrator portal, and the Microsoft 365 message center.
Starting in October, users signing into Azure portal, the Entra administrator center, and Intune admin center will be required to use MFA, with the enforcement rolling out to all tenants worldwide, according to Naj Shahid, principal product manager, and Bill DeForeest, principal product manager of Azure Compute.
In early 2025, gradual enforcement will begin for those signing into Azure CLI, Azure PowerShell, Azure mobile apps, and Infrastructure as Code (IaC) tools, Shahid and DeForeest wrote in a blog post.
There are MFA Options
Organizations will have options for deploying MFA via Entra, including Microsoft’s Authenticator tool, FIDO2 security keys, certificate-based authentication – which enforces phishing resistant MFA – passkeys, and SMS or voice approval, which they called the least secure version of MFA.
The MFA push is part of Microsoft’s larger Secure Future Initiative (SFI) that was introduced in November 2023. A key part of the project is addressing the risk of bad actors gaining unauthorized access to users’ information by enforcing top standards across the infrastructure for identities and secrets as well as user and application authentication and authorization, they wrote.
“Ensuring Azure accounts are protected with securely managed, phishing-resistant multifactor authentication is a key action we are taking,” the two wrote, pointing to a study by Microsoft that found that more than 99.99% of MFA-enabled Azure Active Director accounts remained security during the five-month time period of the research.
In addition, MFA reduced the risk of compromised accounts by 99.22% across the entire population and by 98.56% in cases of leaked credentials.
The report’s authors said the study found that “dedicated MFA applications outperform SMS-based authentication, although both methods are significantly more effective than not employing MFA at all. In light of these findings, we strongly advocate for the default activation of MFA in commercial accounts to bolster cybersecurity measures, as already required by many institutions.”
Expanding the Requirement
The MFA requirement for Azure logins builds on a similar push by Microsoft announced in May by making MFA a default across more than a million Entra ID tenants, including those for development, testing, demos, and production.
By doing so, “we will not only reduce the risk of account compromise and data breach for our customers, but also help organizations comply with several security standards and regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and National Institute of Standards and Technology (NIST),” Shahid and DeForeest wrote.
Attacks Microsoft has been under pressure for more than a year to improve its security in the wake of two high-profile and embarrassing breaches. The first was an attack by the Chinese-linked advanced persistent threat (APT) group Storm-0558, which stole a Microsoft signing key and hacked its way into Microsoft 365 and Exchange Online accounts, stealing email from about two dozen U.S. government organizations as well as corporate accounts.
The other was perpetrated by the Russian state-sponsored group Midnight Blizzard, which hacked their way into Microsoft’s corporate email accounts during an attack that started in November 2023 but wasn’t detected until January. They were able to steal email messages between Microsoft and a number of U.S. federal agencies. CISA warned that Midnight Blizzard bad actors were using information stolen – such as authentication details found in email between Microsoft and some customers – from the email systems to gain access into customer networks.
Harsh Criticism
Lawmakers harshly criticized Microsoft for security failures that allowed the attacks to be successful, arguing that the responsibility for security the software falls on the vendor and not the users.
In the wake of the attacks, Microsoft said it was expanding its SFI effort to include adopting Secure by Design software development practices, making security protections a default and taking a number of steps to protect identities and secrets.
“Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust,” Charlie Bell, executive vice president of Microsoft Security, wrote at the time. “We must and will do more. We are making security our top priority at Microsoft, above all else – over all other features.”
In addition, Microsoft President Brad Smith, testifying before Congress in June, said his company took full responsibility for every cybersecurity issue raised by a Cyber Safety Review Board report about the Storm-0558 attack, noting that the vendor has more than 34,000 engineers working on security. Smith said Microsoft erred by becoming too dependent on cybersecurity specialists instead of embedding security across the company.