Microsoft Entra Introduces MFA Requirements and New Security Features

Published: Oct 09, 2024

Cloud Computing

SHARE ARTICLE

Key Takeaways:

  • Starting October 15, Microsoft will require MFA for all sign-ins to the Entra admin center, Azure portal, and Intune admin center.
  • Microsoft Entra will mandate the use of hardware-bound cryptographic secrets for newly registered Apple devices.
  • Microsoft is retiring legacy AzureAD and MSOnline PowerShell modules.

Microsoft has provided a detailed overview of the latest features and capabilities for Entra customers, focusing on improvements in security, identity modernization, and more. These updates aim to streamline operations while strengthening protection and adaptability for organizations.

Security improvements

In June, Microsoft announced that it would require multifactor authentication (MFA) for all Azure sign-ins beginning in October this year. The company plans to roll out this change in two phases. Starting on October 15, customers will be required to implement MFA to sign into the Entra admin center, Azure portal, and Intune admin center.

In early 2025, Microsoft will extend gradual enforcement of MFA to include the Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools. Administrators will receive a 60-day advance notice with options to extend time for organizations that meet specific requirements.

“We understand that some customers may need additional time to prepare for this MFA requirement. Therefore, Microsoft will allow extended time for customers with complex environments or technical barriers. The notification from us will also include details about how customers can postpone the start date of enforcement for their tenants, the duration of the postponement, and a link to apply,” Microsoft explained.

Earlier this year, Microsoft announced plans to phase out keychain-backed device identity for Apple devices in Entra ID environments by June 2026. Now, Microsoft has informed customers that starting in June 2025, all newly registered Apple devices must use hardware-bound cryptographic secrets supported by Apple’s Secure Enclave.

Microsoft will release a new version of Entra Connect Sync later this month and recommends that commercial customers upgrade to this latest version by early April. Last month, Microsoft also released updates to offer free enterprise data protection capabilities to Copilot users with Entra accounts. This capability should help organizations enhance data security, privacy, and compliance.

Additionally, Microsoft will enable browser access by default for all Android users. The company has also restricted unused permissions from the privileged “Directory Synchronization Accounts” role in Microsoft Entra Connect Sync and Cloud Sync.

Identity modernization updates

Microsoft will begin phasing out the Azure AD Graph API service on September 1, 2024. This change will impact both new and existing applications, requiring customers to migrate to Microsoft Graph. Administrators who need additional time for migration can set the blockAzureADGraphAccess attribute to false in the app’s authenticationBehaviors configuration.

Last but not least, Microsoft has deprecated the legacy AzureAD PowerShell and MSOnline PowerShell modules. It’s recommended that IT admins should migrate their scripts to Microsoft Graph PowerShell SDK before March 30, 2025.

SHARE ARTICLE