MFA for Microsoft Entra user accounts employed as service accounts

Sonal Singh 0 Reputation points
2025-01-07T07:38:25.11+00:00

We have several Azure user-based service accounts that manage both Active Directory (outside azure) and Azure resources. In this case, enforcing MFA for these accounts is not feasible, and migrating them to a managed identity or service principal is not an option, as these alternatives do not provide access to AD. Additionally, these accounts do not perform interactive sign-ins. With the mandatory MFA rollout set for 15th March, these accounts will be prompted for MFA once enforcement begins. What measures can be implemented to safeguard these accounts and ensure their continued functionality during the mandatory MFA rollout?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,836 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 34,936 Reputation points
    2025-01-07T07:46:04.5866667+00:00

    Hi @Sonal Singh

    You can edit the conditional access which apply the MFA on all user accounts in order to exclude these service accounts:

    Select excluded users pane in Conditional Access

    For more information please refer to the following link:

    Users excluded from Conditional Access policies


    Please don't forget to accept helpful answer



  2. Raja Pothuraju 10,760 Reputation points Microsoft Vendor
    2025-01-08T04:12:44.8+00:00

    Hello @Sonal Singh,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems you're referring to the announcement about MFA enforcement, specifically the mandatory multifactor authentication for Azure and other administration portals. You wanted to know whether user-based Azure service accounts are sufficient for running automation scripts for AD and Azure resources under the new MFA enforcement, or if additional actions are required.

    To clarify, this MFA enforcement applies only to users signing into the Azure portal , Azure CLI , Azure PowerShell and IaC tools, such as Azure Developer CLI , Bicep , Terraform and Ansible to perform any CRUD (Create, Read, Update, Delete) operation will require MFA when the enforcement begins. End users who are accessing apps, websites or services hosted on Azure, but not signing into the Azure portal, CLI or PowerShell, are not subject to this requirement from Microsoft. Authentication requirements for end users will still be controlled by the app, website or service owners.

    User's image

    For more details, refer to the official documentation: Mandatory Multifactor Authentication in Azure

    If your user-based service account is not used to connect to any of the mentioned applications, then the mandatory MFA enforcement will not impact its functionality.

    Note: This mandatory MFA enforcement does not create a Conditional Access (CA) policy in the Azure portal. Mandatory MFA, managed by Microsoft, operates at the application level from the backend, which is different from Microsoft-managed CA policies.

    To summarize: If your user-based service account does not directly authenticate with the listed applications, the mandatory MFA enforcement will have no effect.

    To confirm this, you can perform a small test:

    1. Create a test Conditional Access policy including the service accounts in question.
    2. Target the "Microsoft Admin Portals" under resources.
    3. Require MFA as part of the policy.

    After implementing the policy, observe the behavior:

    • If the functionality breaks, it indicates that the mandatory MFA enforcement could have an impact.
    • If the functionality remains unaffected, you can be assured that the mandatory MFA enforcement will not interfere.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.