Phase 2 of the Microsoft MFA changeover

Microsoft had split the MFA changeover into two phases. The gradual introduction of the MFA requirement for the Azure portal, the Microsoft Entra Admin Center, the Microsoft Intune Admin Center and the Microsoft 365 Admin Center has been taking place since October 2024. The changeover is almost complete.

Phase 2 will start on September 1, 2025, when MFA will also be required for tools such as Azure CLI, Azure PowerShell and REST APIs. In addition, the use of user identities for automated scripts will also be restricted and a migration to so-called workload identities will be recommended.

Important notes on implementation

It is particularly important to ensure that a phishing-resistant MFA method, such as hardware tokens (FIDO2) or certificate-based authentication, is selected for highly privileged accounts. User identities that are used as service accounts should now be switched to workload identities to ensure uninterrupted access. Break glass or emergency access accounts will also be subject to the MFA obligation in future and must be updated accordingly.

Security and future prospects

With these measures, Microsoft is ensuring that all administrative access meets the highest security standards. For companies, this means reviewing their authentication policies and making adjustments to meet the requirements.

Microsoft emphasizes that mandatory MFA is not optional and is mandatory for all using organizations, regardless of the type of application or existing MFA provider.

Conclusion

With the introduction of mandatory MFA for Microsoft 365 and Azure portals, Microsoft is sending a clear signal in terms of security. Companies should start implementing the Phase 2 requirements now to ensure the protection of sensitive data.