Starting in October, Microsoft will enforce multi-factor authentication (MFA) for all Azure resource management actions to protect Azure clients from unauthorized access attempts.
This change is part of the company's Secure Future Initiative (SFI), will be applied gradually across tenants worldwide, and it requires users to enable MFA on Azure CLI, PowerShell, SDKs, and APIs to ensure that their accounts are protected against attacks.
To avoid compatibility issues, users are also advised to upgrade Azure CLI to version 2.76 or later and Azure PowerShell to version 14.3 or later.
Global administrators who need more time to become compliant can postpone the enforcement date until July 2026.
"Starting October 1, 2025, MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation," Microsoft explains on its support site.
"Enforcement applies to all Azure tenants in the public cloud and all users. This includes automation and scripts using user identities (instead of application IDs)," the company added in a Microsoft 365 Message Center update.
One year ago, in August 2024, Microsoft also warned Entra global admins to enable MFA for their tenants by October 15, 2024, to ensure users don't lose access to admin portals.
Admins can monitor who registered for MFA using the authentication methods registration report or this PowerShell script to get a quick report across the entire user base.
This also follows a May 2024 announcement that MFA will be enforced for all users signing into Azure to administer resources, and a November announcement regarding the rollout of Conditional Access policies requiring MFA for all admins signing into Microsoft admin portals, for users on all cloud apps, and for high-risk sign-ins.
According to a Microsoft study, 99.99% of MFA-enabled accounts resist hacking attempts, and MFA helps reduce the risk of compromise by 98.56%, even when attackers use stolen credentials to breach accounts.
Microsoft-owned GitHub has also started enforcing two-factor authentication (2FA) for all active developers in January 2024 as part of the same effort to boost MFA adoption.
Picus Blue Report 2025 is Here: 2X increase in password cracking
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Related Articles:
Storm-0501 hackers shift to ransomware attacks in the cloud
MFA matters… But it isn’t enough on its own
Hackers abused API to verify millions of Authy MFA phone numbers
Threat actors try to downgrade FIDO2 MFA auth in PoisonSeed phishing attack
Prep for Microsoft Azure certifications at home for $30 in this course deal
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________