Hello @Jacky Ho,
Thank you for posting your query on Microsoft Q&A.
As @Vasil Michev mentioned, you don't need a Premium License in Entra ID to enable MFA. You can use Security Defaults or Per-User MFA to enforce MFA for user logins to applications. Please find the steps below on how to enable Security Defaults or Per-User MFA.
To enable security defaults in your directory:
- Sign into the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
- Browse to Microsoft Entra ID >Properties.
- Select Manage security defaults.
- Set Security defaults to Enabled.
- Select Save.
To enable Per-user MFA in your directory:
- Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.
- Browse to Identity > Users > All users.
- Select Per-user MFA.
- A new page opens that displays the user state, as shown in the following example.
- Select user account and click on enable.
Note: Enable MFA either through Security Defaults or Per-User MFA. Do not enable both in your tenant.
Please find below document on step-by-step guidance to end users to register for MFA.
Set up the Microsoft Authenticator app as your verification method
Regarding your second question "Impact on Users: My tenant is currently using the Office 365 Business package. If I do not enable MFA, will users accessing Office 365 services like Microsoft Teams and Office apps be affected?
"
If you do not enable MFA for your users through any policy, there is a possibility that new or existing users may not be prompted to register with any MFA methods. This could create issues after the Azure MFA enforcement release on October 15, 2024, when accessing the Azure Portal, Entra Portal, and Intune portals over web sessions. This enforcement will not affect Office 365 services like Microsoft Teams, Outlook, and SharePoint.
Regarding this new announcement, I’d like to provide some additional details that Microsoft is making MFA enforcement mandatory for Azure Portal, Entra Portal and Intune portal while accessing these Azure Services. The Azure MFA enforcement will be rolled out in phases, with Phase 1 starting on October 15, 2024. This phase will make MFA mandatory for all users in the tenant when logging in via web browsers to the Azure Portal, Entra Portal, and Intune Portal.
Please see below for an explanation of the mandatory multifactor authentication (MFA) for Azure and other administration portals, how it will impact user sign-ins to these portals, and the channels through which you will be notified about this change.
Notification Channels:
Microsoft will notify all Microsoft Entra Global Administrators through the following channels:
Email: Global administrators who have configured an email address will be informed by email of the upcoming MFA enforcement and the actions required to be prepared.
Service health notification: Global Administrators will receive a service health notification through the Azure portal, with the tracking ID of 4V20-VX0. This notification will contain the same information as the email.
Portal notification: Global Administrators will see a notification in the Azure portal , Entra admin center and Intune admin center at login. The portal notification links to this page for more information about MFA.
Microsoft 365 message center: Global Administrators will also see a message in the Microsoft 365 message center with the same information as the email and service health notification.
Enforcement Phases:
Phase 1: Starting in October 15, 2024, enforcement for MFA at sign-in for the Azure portal , Entra portal and Intune portal will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI , Azure PowerShell and IaC tools. This phase is expected to last until March 2025.
Phase 2: Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell and Infrastructure as Code (IaC) tools will gradually roll out to all tenants.
Scope of enforcement:
All users signing into the Azure portal , Azure CLI , Azure PowerShell and IaC tools, such as Azure Developer CLI , Bicep , Terraform and Ansible to perform any CRUD (Create, Read, Update, Delete) operation will require MFA when the enforcement begins. End users who are accessing apps, websites or services hosted on Azure, but not signing into the Azure portal, CLI or PowerShell, are not subject to this requirement from Microsoft. Authentication requirements for end users will still be controlled by the app, website or service owners.
Workload Identities , such as managed identities and service principals, will not be impacted by this enforcement. If you are leveraging user identities as a service account running automation (including scripts or other automated tasks), those will be required to use MFA once enforcement begins.
Implementation:
This MFA requirement will be implemented in addition to any existing access policies in your tenant. For instance:
- If you’ve retained Microsoft’s security defaults and have them enabled, your users will see no change in behavior since MFA is already required for Azure management.
- If you’re using Conditional Access policies in Microsoft Entra and have a policy requiring MFA for Azure sign-ins, your users will not experience any changes.
- If you have more restrictive Conditional Access policies requiring stronger authentication (e.g., phishing-resistant MFA), those policies will continue to be enforced without changes.
Enabling MFA:
The enforcement will roll out to all tenants starting on October 15, 2024, as part of Phase 1. However, before this enforcement is applied, ensure that nothing breaks for users in your tenant. Identify any users who are accessing the Azure Portal, Intune portal, or Entra portal without MFA and inform them in advance to register for an available MFA method. All supported MFA methods are available for you to use and there are no changes to the authentication method features as part of this requirement.
Identifying Users Signing into Azure with and without MFA:
- Use this PowerShell command to export a list of users and their authentication methods: https://aka.ms/AzMFA
- Use the Multifactor Authentication Gaps workbook: Multifactor Authentication Gaps workbook - Microsoft Entra ID | Microsoft Learn
Use these App IDs in your queries:
- Azure portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
- Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
- Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2
- Azure mobile app: 0c1307d4-29d6-4389-a11c-5cbe7f65d7fa
Postponing Enforcement:
If you need more time to identify and prepare your users, you can postpone the enforcement date until March 15, 2025.
To do this:
- Go to https://aka.ms/managemfaforazure, log in as a global administrator, and click "Postpone enforcement."
- Confirm by clicking "Postpone" on the confirmation page.
- You should now see the new enforcement date (March 15, 2025) on the grace period page.
Common Questions:
Q: Which Azure services will require MFA?
- A: This release applies the policy to the Azure Portal, Intune Portal, and Entra Portal. All sign-ins via web browsers will require MFA.
Q: When will other Azure services be locked down?
- A: Azure CLI, PowerShell, and Terraform will require MFA starting in early 2025, with rollout dates yet to be determined.
Q: What if MFA is already enabled?
- A: If you’re already requiring MFA for users accessing the Azure Portal, there will be no change in experience. If only a subset of users is required to use MFA, those not using MFA will now need to do so when signing in to the Azure Portal.
Additional Resources: For more information, please refer to the following articles and YouTube video:
Planning for mandatory multifactor authentication for Azure and other administration portals
What the Required MFA announcement really means. on YouTube (3rd party resource).
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.