MFA enforcement extension to September 2025

Question

MFA enforcement extension to September 2025

Jo Horn 20

I am requesting an extension for the MFA enforcement to September 2025 to give us time to put all our practices in place.. How do I make this request?

Raja Pothuraju 24,135 Reputation points Microsoft External Staff Moderator

2025-02-09T18:40:14.65+00:00

Hello @Jo Horn,

Thank you for posting your query on Microsoft Q&A.

As @TP mentioned, you can extend the postponement grace period deadline to delay enforcement for tenants until September 30, 2025.

This extension can be requested starting in the second half of February 2025.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#request-more-time-to-prepare-for-enforcement

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Jo Horn 20 Reputation points

2025-02-10T03:23:42.3166667+00:00

Thank you

5 answers

Your answer

Raja Pothuraju 24,135 Reputation points Microsoft External Staff Moderator

2025-02-09T18:40:14.65+00:00

Hello @Jo Horn,

Thank you for posting your query on Microsoft Q&A.

As @TP mentioned, you can extend the postponement grace period deadline to delay enforcement for tenants until September 30, 2025.

This extension can be requested starting in the second half of February 2025.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#request-more-time-to-prepare-for-enforcement

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Jo Horn 20 Reputation points

2025-02-10T03:23:42.3166667+00:00

Thank you

Answer 1

Hi,

Looking at your screenshot, you can now postpone MFA enforcement to a later date.

To get around the MFA requirement, what you can do is enable MFA for one new account. This will leave all of the other users as they are now. Instructions below:

1. Create new Global Administrator account—in Azure portal, navigate to Microsoft Entra ID -- Manage -- Users blade, then click New user - Create new user. Create new user named postponemfa or similar, and assign Global Administrator role to it, making note of temporary password.

2. Enable Per-User MFA on new account (only)—in Azure portal, navigate to Microsoft Entra ID -- Manage -- Users blade, then click Per-User MFA. Find the user you just created, select it, and click Enable MFA

Entra ID Users blade Per-user MFA button

Per-user MFA screen

3. Configure MFA on new account—open a separate browser session by [Chrome] clicking on person icon in upper right corner and clicking Open Guest profile or [Edge] clicking on person icon in upper left corner and clicking Other profiles --> Browse as guest

Sign-in to Azure portal in Guest browser session using the new account and follow instructions to configure MFA. You could add this new account to Microsoft Authenticator on your phone if you want.

4. Elevate access on new account—still using Guest browser session, in Azure portal, navigate to Microsoft Entra ID -- Manage -- Properties blade scroll down to Access management for Azure resources and change it to Yes for this new account, Save, then sign out and sign back in for the change to take effect

Entra ID Properties blade elevate access

5. Postpone MFA enforcement date—still using Guest browser session, navigate to postpone MFA enforcement. Since you used MFA to sign-in, it should now allow you to postpone to later date.

Completing the above steps should take about 10 minutes. If you are unsure about how to perform one of the steps add a comment below and I will assist.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Jo Horn 20 Reputation points

2025-02-26T09:20:06.2833333+00:00

I am totally confused with your response. I thought the whole idea of postponing the enforcement was so I do not have to enable MFA now. I do not want to enable MFA for me or anyone on my tenant right now, which is why I want it postponed. Having to enforce MFA for me, so I can request postponement seems to defeat the purpose.
TP 125.9K Reputation points Volunteer Moderator

2025-02-26T09:57:00.2966667+00:00

I am totally confused with your response. I thought the whole idea of postponing the enforcement was so I do not have to enable MFA now. I do not want to enable MFA for me or anyone on my tenant right now, which is why I want it postponed. Having to enforce MFA for me, so I can request postponement seems to defeat the purpose.

I understand what you mean. My instructions were intended to allow you to postpone MFA enforcement on your tenant, which is in my opinion most important thing you want. Creating a single temporary admin account w/MFA, postponing MFA enforcement, and then deleting this account (if desired) seemed like okay tradeoff since in the end your existing accounts will all stay the same.

For a long time now Microsoft has enforced MFA for certain things (sporadically in my experience), even before the recent months mandatory MFA push. For example, certain subscription-related tasks like transferring billing ownership, quota requests (not all), or similar.

I don't know their reasoning for requiring MFA for postponement—I'm just trying to give you a way whereby you can achieve your goal.
Jo Horn 20 Reputation points

2025-02-26T17:46:36.7266667+00:00

I appreciate your patience. Thank you for trying to help. I just got muddled up with having to enable MFA, before I can request to postpone MFA. Although it does not make logical sense doing it this way, it seems this is what I have to work with. Thank you for taking the time to respond. I appreciate it.

Answer 2

Hi,

The ability to postpone enforcement until September 30, 2025 is supposed to be available starting in the second half of this month. Please see article below which has instructions as well as link to portal page to postpone.

Request more time to prepare for enforcement

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#request-more-time-to-prepare-for-enforcement

Excerpt:

We understand that some customers may need more time to prepare for this MFA requirement. Microsoft is allowing customers with complex environments or technical barriers to postpone the enforcement for their tenants until September 30, 2025.

Starting in 2nd half of February 2025, Global Administrators can go to the Azure portal to select the start date of enforcement for their tenant for admin portals in Phase 1. Global Administrators must elevate access before they can postpone the start date of MFA enforcement.

Global Administrators must perform this action for every tenant where they want to postpone the start date of enforcement.

By postponing the start date of enforcement, you take extra risk because accounts that access Microsoft services like the Azure portal are highly valuable targets for threat actors. We recommend all tenants set up MFA now to secure cloud resources.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Jo Horn 20 Reputation points

2025-02-20T17:39:51.1833333+00:00

When in the second half of February. Today is February 20th and I am not able to extend.
Jo Horn 20 Reputation points

2025-02-20T17:45:04.1833333+00:00

When in February would I be able to make the change. This is what I see today? I am not given the option to change it.

Answer 3

Raja Pothuraju 24,135 Microsoft External Staff Moderator

Hello @Jo Horn,

Thank you for your response.

As per the recent update on this, the date picker for portal MFA enforcement is currently rolling out and it is going to roll out completely to all tenants by 2/24/2025.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#request-more-time-to-prepare-for-enforcement

User's image I hope this information is helpful. Please feel free to reach out if you have any further questions.

Raja Pothuraju 24,135 Reputation points Microsoft External Staff Moderator

2025-02-24T23:17:11.4266667+00:00

Hello @Jo Horn,

As per the latest update, the start date for enforcement selection has been changed from February 24, 2025, to March 3, 2025.

Please wait until March 3, 2025, for the changes to reflect in your tenant. Let me know if you have any questions.
Jo Horn 20 Reputation points

2025-02-25T18:53:46.6266667+00:00

I tried to update the postponement date today but this is what I see. It will not let me update although I am logged in.
Jo Horn 20 Reputation points

2025-02-25T19:05:11.85+00:00

<<Removed Duplicate comment>>
Jose Benjamin Solis Nolasco 3,511 Reputation points

2025-02-25T19:08:44.2+00:00

Did you log in with Global Administrator? Try that first then wait a 5 min and see what happens
Raja Pothuraju 24,135 Reputation points Microsoft External Staff Moderator

2025-02-26T07:36:40.31+00:00

Hello @Jo Horn,

If you haven’t logged into the Azure Portal with an MFA session, you may encounter this error.

To resolve this, enable MFA for your user account using Per-user MFA, as TP mentioned. Once enabled, you can access the same page to modify the enforcement date: https://aka.ms/managemfaforazure.

If you prefer not to enable MFA for your account, visit aka.ms/security-info to trigger an MFA prompt for a one-time session. Then, in another tab, open https://aka.ms/managemfaforazure to update the enforcement date.
Jo Horn 20 Reputation points

2025-02-26T09:19:14.7833333+00:00

I am totally confused with your response. I thought the whole idea of postponing the enforcement was so I do not have to enable MFA now. I do not want to enable MFA for me or anyone on my tenant right now, which is why I want it postponed. Having to enforce MFA for me, so I can request postponement seems to defeat the purpose.
Raja Pothuraju 24,135 Reputation points Microsoft External Staff Moderator

2025-02-26T23:12:02.1766667+00:00

Hello @Jo Horn,

Thank you for your response.

To postpone MFA, a user must log in with an MFA-enabled session in the Azure Portal. This ensures that at least one user in the tenant is registered with MFA, preventing tenant lockout when MFA enforcement is applied to admin portals.

That’s why I mentioned that if you don’t want to enforce MFA for any user right now, you can follow the workaround I shared in my previous comment.

Visit aka.ms/security-info to trigger an MFA prompt for a one-time session. This will not enforce MFA but will ensure that the user is registered for it. Then, in another tab, open aka.ms/managemfaforazure to update the enforcement date.

Answer 4

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 5

Jo Horn 20

Hello, I followed the instruction you have me to create a new user and setup the MFA. I was able to do that, but all of a sudden I am getting a stream of charges from Microsoft for this new postponemfa user for everything possible. I thought the idea was to use this new user to postponemfa. The new user is not used for anything else. I need all these charges removed.

TP 125.9K Reputation points Volunteer Moderator

2025-03-17T15:04:39.5233333+00:00

What specific charges are you referring to?

Creating a new Entra ID user and enabling Per-user MFA with Microsoft Authenticator shouldn't cause any charges by itself, but perhaps there is something different about your environment.

I've used similar technique to what I described above multiple times without any charges being accrued as a result.

To have charges potentially refunded you would create a billing support request in Azure portal. There is no charge for billing support request.
Jo Horn 20 Reputation points

2025-03-17T15:22:22.76+00:00
These are the invoices I have received so far -

View your Planner Plan 1 invoice

Invoice1.png

Invoice2.png Invoice3.png
Jo Horn 20 Reputation points

2025-03-17T15:23:27.46+00:00

Invoice2 did not load correctly so I am resending. Invoice2.png
TP 125.9K Reputation points Volunteer Moderator

2025-03-17T16:25:19.1433333+00:00

Looking at it my first impression is you are being billed for non-Azure licenses. For example, "Project Planner 1" is not Azure-related.

Have you gone into Microsoft 365 admin center and looked at your licenses? Make sure that this "postponemfa" user isn't assigned any licenses, and you cancel any new license orders that are related.

The other thing is, who handles your Microsoft 365 set up for you, or do you do that yourself? If you do have a company that manages M365 for you, it is worth it to open a support ticket with them and ask why these charges suddenly popped up?

Your environment may be set up to automatically purchase new licenses if/when a new user is created. For large percentage of time, this is good way to have things, however, it doesn't work for all cases. Microsoft 365 licensing is generally per user, but it is actually per unique human, NOT per unique Entra ID user account.

The other thing I would recommend is to go into your Azure Cost Management + Billing invoices and double-check that none of these new charges are coming from Azure. That way you know you have to focus on Microsoft 365 only.
Jo Horn 20 Reputation points

2025-03-23T21:20:58.62+00:00

I looked at the admin center and nothing is assigned. We are being charged although nothing is assigned.
TP 125.9K Reputation points Volunteer Moderator

2025-03-23T23:49:52.0766667+00:00

A license doesn't need to be assigned in order for you to be billed for it. Did you go in and look at recent license purchases and cancel them if possible? I mentioned that in my reply above.

It depends, but generally there is a time limit to get this taken care of. If you wait too long they may not issue refund for license(s) you recently purchased.

If necessary, create a new billing support request in M365 admin and ask why you were billed for new licenses.

Share via

MFA enforcement extension to September 2025

5 answers

Your answer