Mandatory Microsoft MFA: Key Updates for Admins

Lavanya Roy, HBS Cloud Infrastructure Engineer

June 19, 2025
Read Time: 4 mins

In this article...
Why Microsoft is requiring MFA across Microsoft 365 and Azure admin tools
What tools and accounts will be affected starting September 1, 2025
Which MFA methods are supported (and which ones you should avoid)
How to roll out MFA using Security Defaults or Conditional Access
What happens if you don’t enable MFA in time
Best practices to prepare your team and avoid disruption
Where to get help aligning your MFA strategy with Microsoft’s roadmap

Microsoft is continuing to roll out mandatory multi-factor authentication (MFA) requirements across Microsoft 365 and Azure. These changes are designed to strengthen account security and reduce the risk of identity-based attacks.

If you manage Microsoft environments, this is your chance to get ahead of the September 2025 enforcement deadlines.

Why Microsoft Is Enforcing MFA Across Microsoft 365 and Azure Admin Tools

MFA requires users to verify their identity using more than just a password. It could be an app notification, a biometric scan, a hardware token, or a phone call. That extra step makes a big difference.

According to Microsoft, enabling MFA blocks over 99% of account compromise attempts. With threats growing and identities under constant attack, enforcing MFA is one of the most effective ways to improve security.

Microsoft Mandatory MFA Deadlines in 2025

Microsoft has already begun requiring MFA for several key admin centers. The next wave of enforcement targets tools used for scripting, deployment, and automation.

Starting September 1, 2025, MFA will be required for:

Azure CLI
Azure PowerShell
Azure Mobile App
Infrastructure as Code (IaC) tools (via Azure CLI or PowerShell)
REST API (Control Plane)
Azure SDK

If users try to access these without MFA, they’ll be blocked. No warnings. No exceptions.

How Microsoft MFA Works to Protect Your Environment

MFA in Microsoft 365 and Azure verifies identity using at least two of these:

Password (something you know)
App prompt or security key/FIDO token (something you have)
Biometrics—like facial recognition or fingerprint scanning (something you are)

Common methods include:

Authenticator app—Microsoft, Google, Authy, etc.
FIDO2 security keys
Windows Hello
Hardware tokens

Admins can choose which methods to allow and enforce based on user role, risk, and licensing level. SMS and voice calls are no longer considered secure—easily phished using SIM swapping or social engineering tactics—and admins should stop allowing them as valid forms of MFA authentication.

How to Set Up MFA in Microsoft 365 Admin Center

There are a few ways to roll out MFA, depending on your environment:

Use the Microsoft 365 MFA Setup Wizard: Start here for step-by-step setup.
Turn on Security Defaults: A simple, free option for organizations using Entra ID Free. There is also the option to implement per-user MFA.
Create Conditional Access Policies: For Entra ID P1 or P2 license holders who want to tailor enforcement.
Track MFA enrollment: View user registration status under Microsoft Entra ID > Security > Authentication Methods > User Registration Details.

Note: You can’t use Security Defaults and Conditional Access at the same time. Choose the method that fits your licensing and goals.

Postponing MFA Enforcement (If You Must)

If you need more time, you can delay enforcement up to September 1, 2025.

Admins can postpone enforcement from the Azure portal. You’ll need elevated privileges and existing MFA setup to make the change.

But don’t treat this as a long-term workaround. Microsoft will remove the postponement option after that date.

What Happens If You Don’t Enable MFA in Azure and Microsoft 365

If MFA isn’t set up by the enforcement deadline, users won’t be able to access the affected tools. That includes automation scripts, IaC deployments, SDK operations, and app management.

This could impact:

DevOps pipelines
Infrastructure deployments
Admin access from mobile apps
Any service or process using user-based authentication

Best Practices for Preparing Your Organization for MFA Requirements

Start now to avoid disruptions later. Here’s how to stay ahead:

Communicate changes to your team early
Phase MFA enrollment for high-impact users first
Replace legacy automation accounts with managed identities
Use phishing-resistant methods like FIDO2 or certificate-based auth for emergency access accounts

Moving early gives you more time to test, adapt, and support your users.

Get Help with Microsoft 365 MFA Enforcement

MFA setup is simple in theory, but the real world has nuance. Complex orgs, legacy systems, and user resistance can create roadblocks.

HBS can help you:

Audit current MFA status
Choose the best enforcement path
Update scripts and automation securely
Roll out MFA with minimal disruption

Let’s make this transition smooth—and secure. Contact us today.

Microsoft MFA FAQ

Who is impacted by Microsoft’s mandatory MFA policy?

Any user accessing Microsoft admin tools like Azure CLI, PowerShell, or SDKs must use MFA.

Does this apply to all Microsoft 365 users?

No. The current focus is on admin centers and automation tools, not everyday Microsoft 365 users.

Can we delay the enforcement?

Only until September 1, 2025. After that, enforcement is mandatory.

What MFA methods are supported?

Microsoft supports Authenticator apps (Microsoft, Google, Authy, etc.), FIDO2 keys, biometrics, hardware tokens, Windows Hello, and certificate-based authentication.

What happens to scripts or services using basic auth?

They’ll fail. Microsoft recommends replacing these with service principals or managed identities. Most basic auth is already deprecated by Microsoft. The last remaining protocol still allowed is AuthSMTP. Admins should look to transforming credentials to use modern auth protocols immediately.

Where can I track MFA rollout progress?

Use the User Registration Details report in Microsoft Entra ID (P1 or P2 required).

What’s the difference between Security Defaults and Conditional Access?

Security Defaults is an all-or-nothing setting designed to enforce basic protections across all users. Once enabled, you can’t make granular changes or customized policies—it applies the same way to everyone in your tenant.

Conditional Access gives you more control but requires a premium license. You can tailor security policies based on user roles, locations, device compliance, etc,.

Will there be reminders?

Yes. Microsoft will send notifications through the message center, service health dashboard, and email 60 days in advance.

Do break-glass accounts need MFA?

Yes—and they should use phishing-resistant methods like FIDO2 and be excluded from Conditional Access policies and enforced using the per-user MFA area.

Where can I learn more?

Plan for mandatory Microsoft MFA.