Azure mandatory multifactor authentication: Phase 2 starting in October 2025
Microsoft Azure is set to implement Phase 2 of multifactor authentication (MFA) enforcement at the Azure Resource Manager layer, beginning on October 1, 2025.
With the rise of cyberattacks becoming more frequent and sophisticated, protecting your digital assets is absolutely essential. At Microsoft, your security is our utmost priority. According to Microsoft research, implementing MFA can prevent over 99.2% of account compromise attempts, making it one of the most effective ways to secure your accounts.
As announced in August 2024, Azure began enforcing mandatory MFA for sign-ins to the Azure Public Cloud. By introducing MFA for Azure sign-ins, we’re working hard to ensure you have robust protection against cyber threats, as part of our dedication to improving security for all users and moving towards a safer future.
Previously, we revealed that MFA enforcement would be rolled out in stages to give customers ample time to prepare and adapt:
- Phase 1: MFA enforcement on sign-ins to the Azure Portal, Microsoft Entra admin centre, and Intune admin centre.
- Phase 2: Gradual enforcement of MFA for users managing Azure resources through any client, including but not limited to Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools.
We’re pleased to share that MFA enforcement for sign-ins to the Azure Portal has been fully implemented for all Azure tenants as of March 2025. Now, we are announcing the commencement of Phase 2 MFA enforcement at the Azure Resource Manager level, starting October 1, 2025. This will be rolled out gradually across Azure tenants using Azure Policy, adhering to Microsoft’s secure deployment practices.
This week, Microsoft has begun sending communications to all Microsoft Entra Global Administrators via email and through Azure Service Health notifications, outlining the enforcement start date and preparation guidelines.
Impact on Customers
From now on, users will need to authenticate using MFA before executing any resource management operations. However, workload identities, including managed identities and service principals, will not be affected by this MFA enforcement.
Discover more about the scope of enforcement.
Preparation Steps
1. Activate MFA for Your Users
To allow your users to manage resources, be sure to enable MFA for your users by October 1, 2025. To find out which users need mandatory MFA set up, follow these instructions.
2. Recognise the Potential Impact
To get ahead of the changes with Phase 2 enforcement, consider applying built-in Azure Policy definitions that will block resource management operations for users who have not completed MFA authentication.
Customers can implement this enforcement progressively across various resource hierarchy scopes, types, or regions.
3. Update Your Azure CLI and PowerShell Clients
To ensure optimal compatibility, users in your environment should update to Azure CLI version 2.76 or later, and Azure PowerShell version 14.3 or above.
