Published Aug 29, 2025
Microsoft will enforce multifactor authentication (MFA) for all Azure resource management actions starting October 1, 2025, with a postponement option until July 2026. Users must enable MFA, update Azure CLI/PowerShell, and can apply Azure Policy to assess impact. Gallatin customers are advised to implement MFA without enforcement.
Updated September 5, 2025: Gallatin customers are advised to still implement multifactor authentication for user accounts to improve security, but there will not be Microsoft enforcement at this time.
Introduction
To strengthen security across Azure environments, Microsoft is introducing enforcement of multifactor authentication (MFA) for all Azure resource management actions. This change helps protect your organization from unauthorized access and aligns with industry best practices for identity protection.
This effort is part of Microsoft’s commitment to enhance security for all customers and follows Azure’s Phase 1 rollout completed last year. Phase 2 enforcement ensures that all Azure clients - including CLI, PowerShell, SDKs, and REST APIs - are protected against unauthorized access.
When this will happen
Phase 2 enforcement will begin rolling out on October 1, 2025, and will be applied gradually across tenants. Customers may postpone enforcement until July 2026 if additional time is needed to become compliant.
How this will affect your organization
Users will be required to set up MFA before performing Azure resource management actions (via Azure CLI, PowerShell, Mobile App, Identity SDK, IaC tools, or REST APIs).
Enforcement applies to all Azure tenants in the public cloud and all users. This includes automation and scripts using user identities (instead of application IDs). The Phase 2 Azure Portal experience will show when enforcement is active on a tenant.
If your organization cannot meet the enforcement deadline, you can postpone your tenant’s enforcement date.
What you need to do to prepare
This change will happen automatically. No admin action is required unless you need to delay enforcement.
Learn more:
Compliance Considerations
No compliance considerations identified, review as appropriate for your organization.