Buckle up for mandatory MFA from Microsoft

A push is underway from Microsoft to enforce multifactor authentication (MFA) for administrators accessing Microsoft Entra ID (formerly Azure Active Directory), M365 and Exchange.

Conditional Access policies are being now rolled out to administrators worldwide who will have 90 days from being notified to opt out before MFA becomes compulsory.

“It’s our strong recommendation - and a policy we’ll deploy your behalf - that multifactor authentication protect all user access to admin portals such as https://portal.azure.com, Microsoft 365 admin center, and Exchange admin center,” wrote  Alex Weinert, Microsoft Vice President, Identity Security, in a blog post.

“Please note that while you can opt out of these policies, teams at Microsoft will increasingly require multifactor authentication for specific interactions, as they already do for certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrolment.

Multifactor authentication was mandated on consumer accounts like Outlook.com, Skype, Xbox, and OneDrive 10 years ago. However, despite repeated urging by Microsoft it is only utilised by 37% of corporate and government users.

“In a world where digital identity protects virtually every digital and physical assets and makes virtually all online experiences possible - and in a year when we’ve blocked more than 4,000 password attacks per second - we need to do more to drive multifactor authentication adoption. And so now, we’re kicking off the next radical idea,” said Weinert.

He likened the proposal to making seatbelts compulsory in the 1960’s after which traffic injuries plummeted.

“And now, your car owes its safety rating in part to the annoying ding-ding-ding of the dashboard should you forget to buckle up. This approach - of making a secure posture easy to get into and hard to get out of - is sometimes called the “pit of success.”

“Similarly, in the early days of cloud identity, if you wanted multifactor authentication for your accounts, you could certainly have it. You just had to pick a vendor, deploy the multifactor authentication service, configure it, and convince all your users to use it. Unsurprisingly, virtually no one did that.

“But when we applied the “pit of success” philosophy for consumer accounts in 2013 with multifactor authentication on by default, and for enterprise accounts in 2019 with security defaults, account compromise plummeted as multifactor authentication usage went up. And we’re incredibly excited about the next step in the journey: the automatic roll-out of Microsoft-managed Conditional Access policies.”

“Our eventual goal is to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls. In other words, as the cyberthreat landscape evolves, we’d not only recommend policy changes based on the trillions of signals we process every day, but we’d also safely apply them for you ahead of bad actors.

“Not only will the seat belts already be in your car, but we’ll also help you fasten them to keep everyone safer. That way, you can keep your eyes on the road ahead,” said Weinert.