Azure MFA Phase 2 Enforcement Roll-Out
Microsoft began rolling out phase 1 enforcement for Azure MFA in October 2024. This change meant that accounts attempting to sign into the Azure portal, Entra admin center, and Intune admin center to perform operations that would change settings in those areas were required to use MFA.
Phase 1 did not affect other clients such as the Azure CLI, PowerShell modules, the Azure Mobile App, REST API, Azure SDK, or IaC (infrastructure as code) tools.
Phase 2 rollout of enforced MFA further affects Azure, and was scheduled to begin September 1, 2025.
It is reported that roll-out to tenants will be staged and slow. Global administrators will receive notifications via different methods: via email (assuming a valid email is assigned to the user account); portal notifications; or the Microsoft message center (message ID MC862873).
An option to delay phase 2 MFA roll-out is available; however, delaying this roll-out is highly discouraged as 99.2% of all account compromise is thwarted by strong MFA methods, according to Microsoft. Especially given that phase 2 addresses CLI and REST API which can be used at a speed and efficiency greater than that of the user interface to cause damage or gain unwanted access to data.
There is one particular item of note regarding emergency access or “break glass” user accounts. Microsoft recommends using certificate-based or FIDO2 compliant MFA authentication for these user accounts. Soft token QR codes cannot be shared between mobile devices and any one person holding that soft token on their mobile device defeats the purpose of those EA accounts. Contradictory to previous recommendations, it is not recommended that EA accounts be excluded from MFA.
For tenants already enforcing MFA in compliance with phase 2 efforts, there will be no changes. See the following link for more information: https://learn.microsoft.com/en-gb/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet.
Neovera SV (formerly 10-D Security) is an independent firm specializing in IT security and compliance for financial institutions. We help clients mitigate risk and comply with GLBA requirements, offering tailored services and expertise to strengthen cybersecurity programs.