MC1143999 - Azure Information Protection: Enable multifactor authentication for your Azure tenant by October 1, 2025

Updated September 5, 2025: Gallatin customers are advised to still implement multifactor authentication for user accounts to improve security, but there will not be Microsoft enforcement at this time.

Introduction

To strengthen security across Azure environments, Microsoft is introducing enforcement of multifactor authentication (MFA) for all Azure resource management actions. This change helps protect your organization from unauthorized access and aligns with industry best practices for identity protection.

This effort is part of Microsoft’s commitment to enhance security for all customers and follows Azure’s Phase 1 rollout completed last year. Phase 2 enforcement ensures that all Azure clients - including CLI, PowerShell, SDKs, and REST APIs - are protected against unauthorized access.

When this will happen

Phase 2 enforcement will begin rolling out on October 1, 2025, and will be applied gradually across tenants. Customers may postpone enforcement until July 2026 if additional time is needed to become compliant.

How this will affect your organization

Users will be required to set up MFA before performing Azure resource management actions (via Azure CLI, PowerShell, Mobile App, Identity SDK, IaC tools, or REST APIs).

Enforcement applies to all Azure tenants in the public cloud and all users. This includes automation and scripts using user identities (instead of application IDs). The Phase 2 Azure Portal experience will show when enforcement is active on a tenant.

If your organization cannot meet the enforcement deadline, you can postpone your tenant’s enforcement date.

What you need to do to prepare

• Verify MFA Readiness: Ensure all users performing Azure resource management actions are enrolled in MFA.
• Apply Azure Policy: To understand the potential impact, apply a built-in Azure Policy definition in audit or enforcement mode to assess impact.
• Upgrade Azure CLI or PowerShell Versions: For the best compatibility experience, users in your tenant should use Azure CLI version 2.76 or later and Azure PowerShell version 14.3 or later. 
• Postpone If Needed: Global administrators can self-serve postponement in the Azure Portal before enforcement begins.

This change will happen automatically. No admin action is required unless you need to delay enforcement.

Learn more: 

• How it works: Microsoft Entra multifactor authentication | Microsoft Learn
• How to verify that users are set up for mandatory MFA | Microsoft Learn
• Planning for mandatory multifactor authentication for Azure and other admin portals | Microsoft Learn
• Tutorial: Self-enforce MFA through Azure Policy - Azure Policy | Microsoft Learn

Compliance Considerations

No compliance considerations identified, review as appropriate for your organization.