Mandatory Microsoft MFA: Key Updates for Admins
- Lavanya Roy, HBS Cloud Infrastructure Engineer
- Read Time: 4 mins
In this article...
- Why Microsoft is requiring MFA across Microsoft 365 and Azure admin tools
- What tools and accounts will be affected starting September 1, 2025
- Which MFA methods are supported (and which ones you should avoid)
- How to roll out MFA using Security Defaults or Conditional Access
- What happens if you don’t enable MFA in time
- Best practices to prepare your team and avoid disruption
- Where to get help aligning your MFA strategy with Microsoft’s roadmap
Microsoft is continuing to roll out mandatory multi-factor authentication (MFA) requirements across Microsoft 365 and Azure. These changes are designed to strengthen account security and reduce the risk of identity-based attacks.
If you manage Microsoft environments, this is your chance to get ahead of the September 2025 enforcement deadlines.
Why Microsoft Is Enforcing MFA Across Microsoft 365 and Azure Admin Tools
MFA requires users to verify their identity using more than just a password. It could be an app notification, a biometric scan, a hardware token, or a phone call. That extra step makes a big difference.
According to Microsoft, enabling MFA blocks over 99% of account compromise attempts. With threats growing and identities under constant attack, enforcing MFA is one of the most effective ways to improve security.
Microsoft Mandatory MFA Deadlines in 2025
Microsoft has already begun requiring MFA for several key admin centers. The next wave of enforcement targets tools used for scripting, deployment, and automation.
Starting September 1, 2025, MFA will be required for:
- Azure CLI
- Azure PowerShell
- Azure Mobile App
- Infrastructure as Code (IaC) tools (via Azure CLI or PowerShell)
- REST API (Control Plane)
- Azure SDK
If users try to access these without MFA, they’ll be blocked. No warnings. No exceptions.
How Microsoft MFA Works to Protect Your Environment
MFA in Microsoft 365 and Azure verifies identity using at least two of these:
- Password (something you know)
- App prompt or security key/FIDO token (something you have)
- Biometrics—like facial recognition or fingerprint scanning (something you are)
Common methods include:
- Authenticator app—Microsoft, Google, Authy, etc.
- FIDO2 security keys
- Windows Hello
- Hardware tokens
Admins can choose which methods to allow and enforce based on user role, risk, and licensing level. SMS and voice calls are no longer considered secure—easily phished using SIM swapping or social engineering tactics—and admins should stop allowing them as valid forms of MFA authentication.
How to Set Up MFA in Microsoft 365 Admin Center
There are a few ways to roll out MFA, depending on your environment:
- Use the Microsoft 365 MFA Setup Wizard: Start here for step-by-step setup.
- Turn on Security Defaults: A simple, free option for organizations using Entra ID Free. There is also the option to implement per-user MFA.
- Create Conditional Access Policies: For Entra ID P1 or P2 license holders who want to tailor enforcement.
- Track MFA enrollment: View user registration status under Microsoft Entra ID > Security > Authentication Methods > User Registration Details.
Note: You can’t use Security Defaults and Conditional Access at the same time. Choose the method that fits your licensing and goals.
Postponing MFA Enforcement (If You Must)
If you need more time, you can delay enforcement up to September 1, 2025.
Admins can postpone enforcement from the Azure portal. You’ll need elevated privileges and existing MFA setup to make the change.
But don’t treat this as a long-term workaround. Microsoft will remove the postponement option after that date.
What Happens If You Don’t Enable MFA in Azure and Microsoft 365
If MFA isn’t set up by the enforcement deadline, users won’t be able to access the affected tools. That includes automation scripts, IaC deployments, SDK operations, and app management.
This could impact:
- DevOps pipelines
- Infrastructure deployments
- Admin access from mobile apps
- Any service or process using user-based authentication
Best Practices for Preparing Your Organization for MFA Requirements
Start now to avoid disruptions later. Here’s how to stay ahead:
- Communicate changes to your team early
- Phase MFA enrollment for high-impact users first
- Replace legacy automation accounts with managed identities
- Use phishing-resistant methods like FIDO2 or certificate-based auth for emergency access accounts
Moving early gives you more time to test, adapt, and support your users.
Get Help with Microsoft 365 MFA Enforcement
MFA setup is simple in theory, but the real world has nuance. Complex orgs, legacy systems, and user resistance can create roadblocks.
HBS can help you:
- Audit current MFA status
- Choose the best enforcement path
- Update scripts and automation securely
- Roll out MFA with minimal disruption
Let’s make this transition smooth—and secure. Contact us today.
Microsoft MFA FAQ
Who is impacted by Microsoft’s mandatory MFA policy?
Does this apply to all Microsoft 365 users?
Can we delay the enforcement?
Only until September 1, 2025. After that, enforcement is mandatory.
What MFA methods are supported?
What happens to scripts or services using basic auth?
Where can I track MFA rollout progress?
What’s the difference between Security Defaults and Conditional Access?
Security Defaults is an all-or-nothing setting designed to enforce basic protections across all users. Once enabled, you can’t make granular changes or customized policies—it applies the same way to everyone in your tenant.
Conditional Access gives you more control but requires a premium license. You can tailor security policies based on user roles, locations, device compliance, etc,.
Will there be reminders?
Do break-glass accounts need MFA?
Yes—and they should use phishing-resistant methods like FIDO2 and be excluded from Conditional Access policies and enforced using the per-user MFA area.
Where can I learn more?
Related Content
Microsoft Specializations: What They Really Mean for You
Microsoft Specializations are much more than badges—they’re proof your partner can—and will—delivers results.
Combatting MFA Bombing
Identify and prevent MFA bombing attacks. Stay vigilant and protect your accounts by recognizing legitimate MFA requests and following best security practices.
HBS Earns Microsoft Identity and Access Management Specialization
HBS achieves Microsoft Identity and Access Management Specialization, showing leadership in securing digital IDs and providing Zero Trust-aligned solutions.
