Microsoft’s New Mandatory MFA Policies: What You Need to Know in 2025

By: Tom Gilmore

As cybersecurity threats continue to grow in sophistication and frequency, Microsoft is doubling down on security for its cloud services. Starting in 2024 and accelerating through 2025, Microsoft is implementing mandatory Multi-Factor Authentication (MFA) across its key Azure and Microsoft 365 services, enforcing stronger account protection to help prevent breaches.

Why Mandatory MFA?

Microsoft research reveals MFA can block over 99.2% of account compromise attacks. With this compelling security benefit, MFA has become an essential safeguard for protecting cloud resources and sensitive enterprise data.

This new requirement arises from the need to thwart credential theft, phishing, brute force, and automated attacks that target cloud administrators and users alike. Microsoft’s move aligns with a broader industry shift toward zero-trust security models that emphasize strong identity verification.

What’s Changing? Two Phases of Enforcement

Microsoft’s mandatory MFA enforcement is rolling out in two key phases:

Phase 1: Enforced October 2024

  • MFA becomes mandatory for accounts signing into:
    • Azure portal
    • Microsoft Entra admin center
    • Microsoft Intune admin center
    • Microsoft 365 admin center (starting February 2025)
  • MFA is required to perform any create, read, update, or delete (CRUD) operation in these portals.
  • Other Azure clients (Azure CLI, Azure PowerShell, mobile apps, IaC tools) are not impacted in this phase.

Phase 2: Enforced Starting September 15, 2025

  • MFA enforcement expands to:
    • Azure CLI
    • Azure PowerShell
    • Azure mobile app
    • Infrastructure as Code (IaC) tools (e.g., Terraform, ARM, Bicep)
    • REST API control plane for create, update, or delete operations
  • MFA is not required for read-only operations in these tools.
  • This phase aims to secure all interaction methods with Azure beyond the portal interfaces.

Key Details and Best Practices

  • No Opt-Out: All users signing into the affected applications must use MFA. There is no opt-out option, underscoring Microsoft’s commitment to security.
  • Break-Glass Accounts: Emergency access accounts must also use MFA, preferably with phishing-resistant methods like passkeys (FIDO2) or certificate-based authentication.
  • Service Accounts: User accounts used as service accounts for automation or scripts need to be migrated to workload identities (service principals or managed identities) that do not require MFA. Microsoft recommends migrating to these cloud-native identities to maintain security and compliance.
  • Third-Party MFA: Organizations using external MFA solutions can integrate them with Microsoft Entra ID, provided the federated identity providers are configured to pass MFA claims to Microsoft.
  • Postponement Available: Some tenants can request a postponement for Phase 1 enforcement until September 30, 2025, and Phase 2 until July 1, 2026, to accommodate complex environments or technical constraints.
  • Impacted Regions: Only the public Azure cloud is currently affected; sovereign clouds like Azure Government have separate policies.

Deprecated and Affected Features

  • The OAuth 2.0 Resource Owner Password Credentials (ROPC) grant flow is incompatible with the MFA requirement and is deprecated.
  • Several MSAL and Azure SDK APIs relying on username-password authentication are also deprecated and require updates.
  • Password autofill capabilities in the Microsoft Authenticator app will be discontinued by August 2025, pushing organizations toward passwordless authentication methods.

What Organizations Should Do Now

  • Enable MFA Today: If MFA is not currently enforced, enable security defaults or Conditional Access policies that require MFA.
  • Plan for Migration: Identify and transition any user-based service accounts used in scripts or automation to workload identities.
  • Test MFA Policies: Use Conditional Access templates and Microsoft tools to validate MFA impact before enforcement rolls out.
  • Adopt Strong Authentication: Encourage the use of passwordless options like FIDO2 security keys and passkeys to improve user experience and security.
  • Prepare for Phase 2: Audit tool usage for CLI, PowerShell, IaC, and API access to ensure readiness for the 2025 enforcement of MFA on these endpoints.

Don’t Let Microsoft’s MFA Requirements Catch You Off Guard

Microsoft’s mandatory MFA enforcement isn’t just another policy update—it’s a fundamental shift in how organizations must approach cloud security. With Phase 1 already in effect and Phase 2 approaching this month, the window for preparation is narrowing rapidly.

While these changes may seem daunting, they represent an opportunity to strengthen your security posture and future-proof your organization against evolving cyber threats. The organizations that act now will experience a smooth transition and enhanced protection. Those who wait risk operational disruptions, compliance issues, and potential security vulnerabilities.

Ready to Navigate Microsoft’s MFA Requirements?

At Lume Strategies, we specialize in helping organizations seamlessly adapt to evolving technology landscapes. Our team can help you:

  • Audit your current Azure and Microsoft 365 environment for MFA readiness
  • Develop a comprehensive migration strategy for service accounts and automation
  • Implement Conditional Access policies that balance security with user experience
  • Plan your transition to passwordless authentication methods
  • Ensure compliance with minimal business disruption

Don’t let Microsoft’s MFA mandate become a crisis. Contact Lume Strategies today to schedule a consultation and turn this security requirement into a competitive advantage.