Sign in Subscribe
By Lostboy in Microsoft

MFA for all Azure users, or is it?

MFA for all Azure users, or is it?
Image: https://jerbaco.wordpress.com

TL;DR it's not quite what Microsoft's article headline suggests, but it is still a step forward from Microsoft.

The original post has very few technical details in regards to how it will actually work. Since the original post, Microsoft have slowly released more information on how the change will be implemented and function. Let's take a look at the proposed changes, how it benefits the baseline security posture of Azure tenancies, what it will cover, and more importantly what it won't cover.

Microsoft’s original blog post here: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391

Disclaimer:

Microsoft is still accepting feedback on the proposed changes, what is currently known may differ from the end result.

What Is Changing:

Microsoft have announced that they will begin to roll out “MFA for all Azure users” starting in July 2024. The roll out will be staggered, and not all tenants will have the change implemented at the same time.

Once your tenancy is updated, users who sign-into the Azure portal, CLI, PowerShell or Terraform to administer Azure resources will now be required to present MFA at sign-in.

This change will include guest users, and operates in the same fashion as Conditional Access policies where the most restrictive policy applies.

This change will NOT require MFA for services outside of the above, including applications, websites, websites, Managed Identities, and Service Principals.

Your organisation's current configuration and licensing for MFA will not change. If your organisation currently supports Microsoft Authenticator, FIDO2 security keys, etc, these are the same methods which will be available to these users.

Currently there is no no opt-out option, however there is likely to be an exception process.

Recap of the important bits:

  • The roll-out of this change starts July 2024
  • This doesn’t replace any current form of MFA or Conditional Access policy, it will just add further controls
  • MFA will not be required for everything, only where users are managing Azure resources
  • Like Conditional Access policies, the most restrictive policy will apply
  • It will apply to guest user identities
  • At the time of writing there is no opt-out option

Where MFA will now be required:

  • Azure Portal
  • Azure CLI
  • Azure PowerShell
  • Terraform

Where MFA will still NOT be required by default:

  • Applications
  • Sites
  • Services
  • Websites
  • Managed Identities
  • Service Principals

What should your organisation do:

  • Welcome the change, it is a better default than the current
  • Understand how this change might impact users in your organisation
  • Continue to create and deploy your own Conditional Access policies which provide stronger security than the defaults
  • Where possible you should require MFA at sign-in for all users, regardless of the users role, device or location

Closing Thoughts

The new MFA requirement improves the baseline security posture of Azure resources, but does not apply in all situations.

Overall this seems like good progress, as long as organisations understand that this change will not actually require ALL users to present MFA at sign-in.

John Savill has released an excellent video which I would recommend watching which covers this topic in depth: https://www.youtube.com/watch?v=yb31HkOzGg0

If you have any questions regarding the upcoming changes, or Microsoft Azure/365 security in general, feel free to reach out.

Subscribe to Lostboys Blog

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe