Microsoft 365 Message Center item MC1143999
MC1143999 - (Updated) Azure Information Protection: Enable multifactor authentication for your Azure tenant by October 1, 2025
Microsoft will enforce multifactor authentication (MFA) for all Azure resource management actions starting October 1, 2025, with a postponement option until July 2026. Users must enable MFA, update Azure CLI/PowerShell, and can apply Azure Policy to assess impact. Gallatin customers are advised to implement MFA without enforcement.
- Message Center ID
- MC1143999
- Category
- stay Informed
- Severity
- normal
- Services
- Microsoft Entra
- Tags
- Updated message, User impact, Admin impact
- Published
- 2025-08-29
- Last updated
- 2025-09-05
- Expires
- 2026-08-31
Updated September 5, 2025: Gallatin customers are advised to still implement multifactor authentication for user accounts to improve security, but there will not be Microsoft enforcement at this time.IntroductionTo strengthen security across Azure environments, Microsoft is introducing enforcement of multifactor authentication (MFA) for all Azure resource management actions. This change helps protect your organization from unauthorized access and aligns with industry best practices for identity protection. This effort is part of Microsoft’s commitment to enhance security for all customers and follows Azure’s Phase 1 rollout completed last year. Phase 2 enforcement ensures that all Azure clients - including CLI, PowerShell, SDKs, and REST APIs - are protected against unauthorized access. When this will happenPhase 2 enforcement will begin rolling out on October 1, 2025, and will be applied gradually across tenants. Customers may postpone enforcement until July 2026 if additional time is needed to become compliant.How this will affect your organizationUsers will be required to set up MFA before performing Azure resource management actions (via Azure CLI, PowerShell, Mobile App, Identity SDK, IaC tools, or REST APIs). Enforcement applies to all Azure tenants in the public cloud and all users. This includes automation and scripts using user identities (instead of application IDs). The Phase 2 Azure Portal experience will show when enforcement is active on a tenant.If your organization cannot meet the enforcement deadline, you can postpone your tenant’s enforcement date.What you need to do to prepareVerify MFA Readiness: Ensure all users performing Azure resource management actions are enrolled in MFA. Apply Azure Policy: To understand the potential impact, apply a built-in Azure Policy definition in audit or enforcement mode to assess impact.Upgrade Azure CLI or PowerShell Versions: For the best compatibility experience, users in your tenant should use Azure CLI version 2.76 or later and Azure PowerShell version 14.3 or later. Postpone If Needed: Global administrators can self-serve postponement in the Azure Portal before enforcement begins.This change will happen automatically. No admin action is required unless you need to delay enforcement.Learn more: How it works: Microsoft Entra multifactor authentication | Microsoft LearnHow to verify that users are set up for mandatory MFA | Microsoft LearnPlanning for mandatory multifactor authentication for Azure and other admin portals | Microsoft LearnTutorial: Self-enforce MFA through Azure Policy - Azure Policy | Microsoft LearnCompliance ConsiderationsNo compliance considerations identified, review as appropriate for your organization.