Sysadmin Central

Microsoft has announced significant changes to the Multi-Factor Authentication (MFA) requirements for Azure sign-ins, part of which started enforcement last month (July 2024). These changes are critical for enhancing security, but they require proactive steps from system administrators to ensure a smooth transition and to avoid disruption.

Key Timeline:

• July 2024: MFA becomes mandatory for Azure portal sign-ins for all users.
• Early 2025: Enforcement extends to Azure CLI, PowerShell & Infrastructure as Code tools.

Steps for System Administrators to Prepare:

1. Identify users that’ll be impacted
   • Microsoft provide a PowerShell script that can easily generate a report of all users (that have signed in within 30 days) and their current MFA status – Export-MsIdAzureMfaReport | MSIdentityTools
   • You can also make use of the Multifactor Authentication Gaps workbook, which will highlight gaps in your MFA coverage – Multifactor Authentication Gaps workbook – Microsoft Entra ID | Microsoft Learn

2. Monitor and Communicate with Users
   • Microsoft will provide notifications 60 days before enforcement. Keep an eye out for these alerts and ensure your users are informed about the upcoming changes and their implications.
3. Enable MFA for All User Accounts
   • Begin by enforcing MFA for all user accounts accessing the Azure portal, using tools such as Azure AD Conditional Access to configure MFA policies.
4. Transition Automation Tasks
   • Automation accounts that use user identities (commonly referred to as Service accounts) should be migrated to managed identities or service principals. This transition is crucial as these are excluded from the new MFA requirements.
5. Ensure Break-Glass Accounts also use MFA
   • Despite Microsoft guidance, until somewhat recently, suggesting companies should have a “Break-glass” account which used controls other than MFA to limit access. With the latest planned changes this is no longer enough and all the documentation I can find now states “Require MFA for all individual users, emergency access accounts shouldn’t have the same MFA mechanism as other non-emergency accounts“.
   • Put another way, even Break Glass account should be configured to use MFA going ahead, but it should be a different MFA method to other accounts.

Final Thoughts

Proactive action is key to ensuring compliance with these new MFA requirements whilst reducing disruption. The new Microsoft enforcement of MFA, despite giving us less control, appears to be a step in the right direction security wise.

I can foresee significant challenges for larger companies that may not be able to quickly align with the new policies, which should make this an even higher priority to start working towards compliance.