Microsoft to Mandate Multi-Factor Authentication on Azure in July to Significantly Enhance Security

Multi-factor authentication (MFA) has been widely adopted by mainstream cloud platforms, significantly enhancing account security and preventing data breaches caused by password leaks, brute force attacks, and phishing, which could allow hackers to access a company's cloud resources.

Microsoft's public cloud platform, Microsoft Azure, has supported multi-factor authentication for some time. However, many users, developers, and enterprises have yet to adopt MFA.

Statistics on Microsoft Azure show that 99.9% of compromised accounts did not have MFA enabled. While enabling MFA does not guarantee 100% protection against attacks, it significantly improves account security.

As a result, Microsoft has announced that starting from July 2024, MFA will become mandatory for all users. Users will be required to bind their accounts with MFA, regardless of their preferences. Options for MFA binding include Microsoft Authenticator, Google Authenticator, password managers, or other TOTP (Time-based One-Time Password) compatible applications, as well as hardware-based security keys.

Microsoft recommends that users or enterprise IT administrators complete the MFA binding as soon as possible to avoid future inconveniences, such as being unable to log in to the console in urgent situations due to unbound MFA.

However, this policy does not apply to apps, websites, or services hosted on Microsoft Azure, as their authentication policies are set by the hosting enterprises. If an enterprise has not enabled mandatory MFA, users will not be required to bind their accounts for login.

It is important to note that this change includes but is not limited to the Azure public cloud computing platform. The policy also applies to Entra ID (formerly known as Azure AD), meaning users authenticating through Entra ID must also bind MFA.