![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 17%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,033 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Apichart Tangsongjaroen,
Thank you for posting your query on Microsoft Q&A.
tagging @CristianAlbertarelli-0761, for visibility as per previous comments.
I see you have received an email notification regarding recent announcement on Azure MFA enforcement "Action required: Enable multifactor authentication for your tenant by 15 October 2024".
Regarding this new announcement, I’d like to clarify that it is not related to Microsoft-managed Conditional Access policies. The Azure MFA enforcement will be rolled out in phases, with Phase 1 starting on October 15, 2024. This phase will make MFA mandatory for all users in the tenant when logging in via web browsers to the Azure Portal, Entra Portal, and Intune Portal.
Please see below for an explanation of the mandatory multifactor authentication (MFA) for Azure and other administration portals, how it will impact user sign-ins to these portals, and the channels through which you will be notified about this change.
Notification Channels:
Microsoft will notify all Microsoft Entra Global Administrators through the following channels:
Email: Global administrators who have configured an email address will be informed by email of the upcoming MFA enforcement and the actions required to be prepared.
Service health notification: Global Administrators will receive a service health notification through the Azure portal, with the tracking ID of 4V20-VX0. This notification will contain the same information as the email.
Portal notification: Global Administrators will see a notification in the Azure portal , Entra admin center and Intune admin center at login. The portal notification links to this page for more information about MFA.
Microsoft 365 message center: Global Administrators will also see a message in the Microsoft 365 message center with the same information as the email and service health notification.
Enforcement Phases:
Phase 1: Starting in October 15, 2024, enforcement for MFA at sign-in for the Azure portal , Entra portal and Intune portal will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI , Azure PowerShell and IaC tools. This phase is expected to last until March 2025.
Phase 2: Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell and Infrastructure as Code (IaC) tools will gradually roll out to all tenants.
Scope of enforcement:
All users signing into the Azure portal , Azure CLI , Azure PowerShell and IaC tools, such as Azure Developer CLI , Bicep , Terraform and Ansible to perform any CRUD (Create, Read, Update, Delete) operation will require MFA when the enforcement begins. End users who are accessing apps, websites or services hosted on Azure, but not signing into the Azure portal, CLI or PowerShell, are not subject to this requirement from Microsoft. Authentication requirements for end users will still be controlled by the app, website or service owners.
Workload Identities , such as managed identities and service principals, will not be impacted by this enforcement. If you are leveraging user identities as a service account running automation (including scripts or other automated tasks), those will be required to use MFA once enforcement begins.
Implementation:
This MFA requirement will be implemented in addition to any existing access policies in your tenant. For instance:
- If you’ve retained Microsoft’s security defaults and have them enabled, your users will see no change in behavior since MFA is already required for Azure management.
- If you’re using Conditional Access policies in Microsoft Entra and have a policy requiring MFA for Azure sign-ins, your users will not experience any changes.
- If you have more restrictive Conditional Access policies requiring stronger authentication (e.g., phishing-resistant MFA), those policies will continue to be enforced without changes.
Enabling MFA:
The enforcement will roll out to all tenants starting on October 15, 2024, as part of Phase 1. However, before this enforcement is applied, ensure that nothing breaks for users in your tenant. Identify any users who are accessing the Azure Portal, Intune portal, or Entra portal without MFA and inform them in advance to register for an available MFA method. All supported MFA methods are available for you to use and there are no changes to the authentication method features as part of this requirement.
Identifying Users Signing into Azure with and without MFA:
- Use this PowerShell command to export a list of users and their authentication methods: https://aka.ms/AzMFA
- Use the Multifactor Authentication Gaps workbook: Multifactor Authentication Gaps workbook - Microsoft Entra ID | Microsoft Learn
Use these App IDs in your queries:
- Azure portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
- Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
- Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2
- Azure mobile app: 0c1307d4-29d6-4389-a11c-5cbe7f65d7fa
Postponing Enforcement:
If you need more time to identify and prepare your users, you can postpone the enforcement date until March 15, 2025.
To do this:
- Go to https://aka.ms/managemfaforazure, log in as a global administrator, and click "Postpone enforcement."
- Confirm by clicking "Postpone" on the confirmation page.
- You should now see the new enforcement date (March 15, 2025) on the grace period page.
Common Questions:
Q: Which Azure services will require MFA?
- A: This release applies the policy to the Azure Portal, Intune Portal, and Entra Portal. All sign-ins via web browsers will require MFA.
Q: When will other Azure services be locked down?
- A: Azure CLI, PowerShell, and Terraform will require MFA starting in early 2025, with rollout dates yet to be determined.
Q: What if MFA is already enabled?
- A: If you’re already requiring MFA for users accessing the Azure Portal, there will be no change in experience. If only a subset of users is required to use MFA, those not using MFA will now need to do so when signing in to the Azure Portal.
Additional Resources: For more information, please refer to the following articles and YouTube video:
Planning for mandatory multifactor authentication for Azure and other administration portals
What the Required MFA announcement really means. on YouTube (3rd party resource).
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 64%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC0%3C/text%3E%3C/svg%3E)
