Microsoft’s Mandatory MFA Rollout: What You Need to Know

Many businesses rely heavily on Microsoft 365 and other tools launched by Microsoft in managing their daily operations. With technology advancing each day, cyberattacks are also getting more and more complex and sophisticated. In order to combat these challenges, Microsoft has decided to implement multi-factor authentication (MFA) for all Azure users with the aim of enhancing security and tackling concerns raised by users regarding cybersecurity. Hence, it is important for businesses, particularly SMEs, to understand MFA tools and adopt these measures. This blog will guide you about everything around MFA, why it is becoming mandatory, what it means for Microsoft 365 users, recommended MFA Tools, and why it matters for London businesses. 

What Is MFA and Why It’s Becoming Mandatory

Multi-factor authentication (MFA) is a core component of identity and access management policy and can be explained as a measure to enhance security. 

It is an authentication method that requires the user to provide two or more verification factors to establish identity and to gain access to a resource such as an application, online account, VPN, etc. 

How does MFA work?

MFA tools ensure to establishment identity of the user demanding access to a certain resource, website or application by assessing their identity based on numerous factors. In addition to usernames and passwords, the additional factors to assess and establish identity may include:

• Knowledge: The things you know, such as a PIN, password, answer to a personal security question, etc.
• Possession: The things you have, such as a code or an OTP on a phone, a security token, or any other device
• Inherence: The things you are, such as biometric fingerprints, voice recognition, iris scanning, behaviour analysis, etc.
• Location: The place where access is demanded, usually a PIN code, VPN authorised access point, etc.

Based on Microsoft research, users did not enable MFA when it was an ‘option’ due to the extra steps involved in establishing and verifying user identity. But to address rising security concerns, Microsoft has made MFA mandatory for Azure Command Line Interface (CLI), Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools. 

Rolled out in October 2024, Microsoft chose a phased approach, under which the second phase started in early 2025, where Microsoft started sending additional notifications through the Azure portal, Entra admin centre and Microsoft 365 message centre. 

What the MFA Rollout Means for Microsoft 365 Users

MFA for all users rolled out in phases:

• Phase 1 started in October 2024, wherein MFA was required to sign in to Azure, Microsoft Entra admin centre, and Intune admin centre. 
• In Phase 2, starting in early 2025, the MFA requirement has been extended to Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

With this new mandatory requirement, users will be able to see MFA-related alerts and enforcement options in the Azure Active Directory. They may also experience that conditional access policies are now more prominently featured, providing more control over security.  

Overview of Microsoft’s Identity 2025 Strategy

Microsoft’s Identity 2025 is centred on strong identity protection, zero trust access controls to all resources and ensuring seamless integration and user access. 

It focuses on starting secure, staying secure and preparing for new cyberthreats by:

• Reducing dependency on only passwords for user access
• Increasing use of MFA methods such as biometric and hardware-based authentication etc.
• Integrating the importance of establishing identity into cybersecurity measures.

Microsoft’s Identity 2025 aligns with Microsoft Entra and Microsoft Azure directory to enhance access controls, improve proactive threat detection and robust compliance. 

Identity 2025 reviews suggest that it was highly commended by IT leaders and cybersecurity experts for enhancing security. 

Recommended MFA Tools and Integration Tips

There are multiple MFA tools compatible with Microsoft platforms, such as:

• Microsoft Authenticator App: There is an exclusive Microsoft Authenticator app for MFA. It is best recommended for seamless integration and issues prompt push notifications.
• Third-party authentication: Other than the Microsoft Authenticator App, there are other third-party authentication apps, such as Google Authenticator, Authy, etc., for MFA using OTP based verification.
• SMS or Voice Calls: Although these are less secure methods, they are commonly used methods for MFA.
• Hardware Security Keys: There are certain hardware security keys that are used for authentication, such as security tokens, USBs or other hardware devices.

To enable MFA via the Azure portal, follow these steps:

• Create a Conditional Access Policy:

• Sign in to the Azure portal
• Go to Microsoft Entra ID > Protection > Security Centre> Conditional Access.
• Create a new policy by clicking “+ New policy”
• Name the policy and configure assignments, conditions for multifactor authentication and access controls
• Activate and save the policy
• Test configuring and using multifactor authentication as a user.

Another important aspect in implementing MFA in businesses is to train staff on how to use MFA and roll out with minimal disruptions:

• Provide a step-by-step guide to the staff
• Host training sessions and provide live and practical training
• Provide adequate support to resolve any issues
• Roll out in phases to avoid any operational disruption.

Why This Matters for London Businesses

While technological advancement is a boon for the business world, it has also raised major security concerns. Cyberattacks have become more complex and sophisticated. To tighten security and prevent these cyberattacks, regulatory authorities have made it mandatory for businesses to follow data protection laws and GDPR. Hence, implementing MFA is not just a mandatory requirement by Microsoft but also a local compliance requirement. It also prepares businesses for better handling of sensitive and confidential business information and data, and helps businesses become cyber-ready.

Further, it is also important that businesses seeking IT support in London partner with a reliable and trusted IT service provider that can analyse and understand business requirements and suggest and implement robust measures for MFA.

Small business IT support in London can help businesses ease this transition by:

• Configuring MFA across Microsoft 365 tools
• Educating staff on safer business practices and how to use MFA
• Streamline transition with minimal operational disruption.

Conclusion

As already explained in the above sections, it is important to use multi-factor authentication to prevent identity theft and other cyberattacks. It is always better to stay proactive than to take corrective action after damage is done. Given the alarming rate of rising cyber threats and attacks, it is advisable for businesses, especially SMEs, to contact a trusted IT support provider that can assess and analyse your business vulnerabilities and security requirements and suggest and implement robust security measures, including MFA. If you’re looking for small business IT support in London, Tristar Tech Solutions can be your perfect partner. Take steps toward a secure business today!

FAQs

1. What is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is an enhanced security measure that requires users to establish identity with factors other than username and passwords, like OTP, biometric verification, security tokens, etc.

2. Why is Microsoft enforcing mandatory MFA?

Due to the alarming rise of sophisticated ad complex cyberattacks, Microsoft, in order to enhance cybersecurity, is enforcing mandatory MFA.

3. Which Microsoft services are affected by the mandatory MFA rollout?

The devices affected by the mandatory MFA rollout by Microsoft are the Azure portal, Microsoft Entra admin centre, Intune admin centre, Azure Command Line Interface (CLI), Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

4. When will the mandatory MFA enforcement begin?

Microsoft enforced mandatory MFA in a phased-out manner starting in October 2024 and early 2025.

5. How can organisations prepare for this change?

To prepare for this change, organisations need to educate their staff about the new requirements and the process of setting up MFA and using the security measure.

6. What authentication methods are supported for MFA?

There are multiple methods supported for MFA including PIN, personal security questions, secuirty tokens, biometric fingerprints, voice recognition, iris scanning, behaviour analysis, location, etc.

7. Can users opt out of MFA?

No, Microsoft has made it mandatory for users to use MFA in order to address security concerns.

8. What are the benefits of implementing MFA?

There are multiple benefits of implementing MFA, such as enhanced security, mitigating the risk of operational downtime, preventing unauthorised access, and compliance with regulations etc. 

9. How does MFA impact user experience?

MFA definitely enhances security by adding an extra layer of security, but it can also cause potential friction and frustration among users due to additional steps.