It’s no secret that Microsoft is one of the major players in the IT market. The organisation ranks as one of the three leading technology companies worldwide. But this popularity and scale, coupled with an extensive product portfolio, present a large and attractive attack surface for cyber criminals.
Workstyles are also changing, further increasing the level of cyber risk. A rise in remote and hybrid working has seen workforce become increasingly displaced, and heavily reliant the use of non-corporate networks to access applications and data. As such, users may unintentionally access this data on an unsecure network which provides a gateway for bad actors to infiltrate and launch a cyber-attack.
It’s an increased level of risk that isn’t lost on Microsoft either, which is why it’s identified mandatory multi-factor authentication (MFA) as one potential solution as part of a large scale investment in security enhancements.
What exactly is multi-factor authentication?
MFA is a tool designed to verify your identity when logging into an account. This requires the user to provide two or more factors of identification to gain access to an application. This usually involves a user’s mobile phone, which receives an authentication code, or the use of biometrics such as fingerprints to prove a user’s identity. This increases the security posture of your business by ensuring any confidential information is protected.
The action plan
Microsoft are commencing a phased rollout of MFA in the second half of 2024. Phase 1 will see all Azure Portal, Entra and Intune Admin users forced to use the tool. If you haven’t set up MFA by October 15th, you will be asked to do so the next time you log in.
Why is Microsoft making MFA mandatory?
Cyberattacks are on the rise, and Microsoft are aware of the increased risk this presents to its users. By enforcing MFA, Microsoft can enhance security by providing a valuable access barrier to deter attackers. According to a report by Microsoft, MFA can block 99.2% of account compromise attacks, making it an extremely effective method of security for any business.
Moreover, MFA acts as an entry into Zero Trust Network Architecture (ZTNA) principles. ZTNA involves the process of users verifying their identity on multiple occasions when accessing various accounts or applications. This works hand in hand with MFA practices, as the need to regularly authenticate via multiple factors breaks additional barriers for cybercriminals and reduces the likelihood of deeper exploit.
The enforcement of mandatory MFA is just one part of a wider investment in cybersecurity from Microsoft. As part of its Secure Future Initiative commitment plan, announced at the end of 2023, the organisation has outlined a security roadmap which highlights the significant enhancements planned across its cloud products and services, which are being delivered in two phases.
The first phase, which includes the MFA enforcement explained earlier, will be followed by a second phase at the start of 2025. This will see the mandatory MFA enforcement rolled out to other Microsoft tenants, including Azure CLI, PowerShell, Azure mobile app and IaC tools.
Microsoft will notify account holders of the expected enforcement dates in 2025 ahead of time to ensure sufficient time to prepare. Businesses do also have the opportunity to request a delay, but the likelihood is that the major will need to fall in line with the proposed deadlines.
MFA is just the start
Despite Microsoft’s own effort to enhance the security of its cloud services for customers, businesses also have a responsibility to ensure they are following recommended best practice.
As such, the mandatory MFA roll out presents an opportunity for a much-needed review of your account estate, and a chance to undertake some account hygiene actions. This is especially important for those who have operated with multiple users accessing single accounts. This is typically regarded as poor practice, and is challenged by the use of MFA which is typically aligned to a specific device through an authenticator tool or similar. There may also be organisations who still count unused admin or ‘’glass break’’ accounts within their tenant. These dormant accounts might be unused, but still present an avenue of exploit for cybercriminals.
If you need help navigating these new security measures, or would like expert support to review and optimise your admin account estate, we’re ready to help. Get in touch with the team to learn more.