Microsoft to Tighten Cloud Security with Mandatory MFA for Azure Resource Management

Microsoft will soon begin enforcing Multi-Factor Authentication (MFA) for all Azure resource management actions. The company has announced that this change will go into effect on October 1, 2025.

In a support document, Microsoft detailed that the mandatory MFA enforcement will apply to Azure CLI, PowerShell, SDKs, REST APIs, Infrastructure as Code (IaC) tools, and the Azure mobile app. This enforcement is a part of Microsoft’s Secure Future Initiative (SFI) that launched in November 2023.

SFI is a multi-year strategy aimed at embedding security into every aspect of how the company designs, builds, and operates its technologies. It is built on three core principles: Secure by Design, Secure by Default, and Secure in Operations. SFI spans six engineering pillars, including identity protection, network security, threat detection, and rapid vulnerability remediation.

“Starting October 1, 2025, MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation,” the company explained on the Microsoft 365 Admin Center. “Enforcement applies to all Azure tenants in the public cloud and all users. This includes automation and scripts using user identities (instead of application IDs).”

How can Azure admins prepare ahead of MFA enforcement?

Microsoft encourages users to upgrade to Azure CLI v2.76+ and PowerShell v14.3+ to avoid compatibility issues. Moreover, administrators should audit and migrate automation scripts from user identities to workload identities. It’s also recommended to use Azure Policy in audit/enforcement mode to assess impact, and monitor MFA registration using built-in reports or PowerShell scripts.

Microsoft will enforce multi-factor authentication (MFA) for Azure resource management gradually across all tenants. However, global administrators will have the option to delay this enforcement until July 1, 2026, to allow more time for preparation.

Microsoft’s research strongly supports the effectiveness of multi-factor authentication (MFA) in protecting user accounts. It shows that 99.99 percent of accounts with MFA enabled are resistant to hacking attempts. Even when credentials are compromised, MFA reduces the risk of unauthorized access by 98.56 percent. These findings emphasize why enforcing MFA is an important step in securing Azure environments.