Starting from October, Microsoft has stated that it will enforce Multi-Factor Authentication (MFA) for the customers of its Entra platform, a move that’s aimed at bolstering security and protecting customer data from increasing cyber threats. This move is part of a broader strategy to close a significant gap in cybersecurity practices, as many organizations have lagged in adopting this critical security measure.

Failing to enable MFA is not just a missed opportunity; it’s a critical vulnerability that no organization can afford. In today’s threat landscape, MFA is not just an option—it’s a necessity.

The significance of this enforcement cannot be overstated. With the rise of sophisticated cyberattacks like phishing or credential stuffing, relying solely on passwords has become increasingly risky. According to the 2024 Verizon Data Breach Investigations Report (DBIR), around 70% of companies did not have MFA enabled just six months ago.

This highlights a major vulnerability that cybercriminals could exploit, making this mandate a crucial step toward enhancing overall security across the Azure platform, and underscoring Microsoft’s recognition of the inadequacy of password-only authentication.

By mandating MFA, Microsoft is effectively eliminating the ‘low-hanging fruit’ that low-sophistication threat actors have traditionally exploited– these attackers often rely on weak, single-factor authentication methods to gain unauthorised access. With MFA in place, such tactics will be significantly less effective and there will be another layer of security to user’s data. Even if the password is compromised, the user/business data is safe.

Having MFA defends against the majority of password-related cyberattacks, like credential stuffing, and forces even less skilled attackers to resort to more complex and costly methods, thereby raising the bar for potential breaches.

In the case of Microsoft, mandatory MFA will be turned on for Azure portal, Microsoft Entra admin center, and Intune Admin Center, as written by the Azure Computer principal product managers Naj Shahid and Bill DeForeest in a blog post and reported by DarkReading.

Mandating MFA for Azure is part of Microsoft’s Secure Future Initiative, which was announced last year to integrate key security features into its products and services. There will be a choice from an array of MFA options, such as authenticators, security keys, certificate-based authentication, and passkeys. While SMS and voice MFA options are still available, their vulnerability to SIM-swapping attacks and interception makes them less secure than other methods, such as authenticator apps or security keys. Microsoft’s inclusion of these options is likely intended to accommodate varying user needs while encouraging the adoption of more secure alternatives.

Further, to anyone concerned for what applications fall under the mandate, “Mandatory MFA will not be required for Azure Command Line Interface, Azure PowerShell, Azure mobile app, and infrastructure-as-code tools until early 2025,” as reported by DarkReading.

Additionally, there is also going to be major steps taken to elevate security governance in Microsoft, by implementing a new framework spearheaded by the Chief Information Security Officer (CISO). As stated in Microsoft’s Secure Future Initiative blog, “This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks, and reporting progress directly to the Senior Leadership Team.”

Businesses that are using Azure services should start preparing now, as they would benefit from ensuring that they meet Microsoft’s new requirement ahead of the October deadline. This preparation should involve conducting a security audit that will identify vulnerable accounts, selecting appropriate MFA methods for those and training employees on the importance and use of MFA.

While implementing MFA is crucial, businesses may face challenges such as user resistance or the integration of MFA into legacy systems. To overcome these challenges, companies should consider phased rollouts, clear communication about the benefits, and selecting MFA options that balance security with user convenience.

Notifications regarding this mandate should start going out via Email and the Azure Service Health Notifications, providing users with the enforcement date and the necessary steps to comply.

The enforcement of MFA across Microsoft’s Entra platform represents a significant advancement in the fight against cyber threats. Early adoption of MFA will not only ensure compliance but also significantly bolster the security posture of organizations, protecting valuable data from unauthorized access. The time to act is now, as businesses must secure their systems before the October deadline to avoid potential vulnerabilities.