In August last year, Microsoft announced that it would start mandating multi-factor authentication (MFA) for Azure Public Cloud sign-ins on Azure, as a way to combat account compromise, which the company"s research shows MFA can block over 99.2% of the time.
This rollout was divided into two phases. Phase 1 focused on enforcing MFA for sign-ins to the management portals and began two months later in October 2024. The requirement applies to anyone logging into the Azure portal, Microsoft Entra admin center, and Intune admin center.
Microsoft now claims that the initial portal enforcement was completely rolled out for Azure tenants as of this March, and now it can start the next stage. Phase 2 kicks off what Microsoft calls a "gradual enforcement" at the Azure Resource Manager layer, meaning it will affect command-line tools and automation.
Things like Azure CLI, Azure PowerShell, the Azure Mobile App, and even Infrastructure as Code tools will now require MFA. The company began notifying all Microsoft Entra Global Administrators about the change via email and Azure Service Health notifications this week, setting a deadline of October 1, 2025.
If you are an administrator, here is how to prepare for the change. Microsoft"s recommended path is to configure a Conditional Access policy.
- Sign in to the Microsoft Entra admin center with at least Conditional Access Administrator rights.
- Navigate to Entra ID, then Conditional Access, and select Policies.
- Create a new policy and give it a name.
- Under Assignments, select the users or groups you want to include.
- Under Target resources, find Cloud apps and include "Microsoft Admin Portals" and "Windows Azure Service Management API".
- Under Access controls, select Grant, then Require authentication strength, and choose Multifactor authentication.
- Set the policy to "Report-only" mode first to see what impact it will have without actually locking anyone out. Then select Create.
Do note that this requires a Microsoft Entra ID P1 or P2 license. For the best compatibility, Microsoft also recommends that users update to at least Azure CLI version 2.76 and Azure PowerShell version 14.3.
You can learn more from the official announcement post.