Share via

Enable multifactor authentication for your tenant by 15 October 2024 Questions

Sean Eddingfield 0 Reputation points
2024-08-19T21:44:40.7533333+00:00

Reading through the documentation it lists additional mfa options however it doesn't list if the Microsoft Legacy MFA will be an accepted option for the mfa choices.

The documentation just redirects to Microsoft Entra MFA documentation. Which has its own issues currently.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,065 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-08-19T22:52:36.25+00:00

    Hi @Sean Eddingfield

    Thanks for reaching out to Microsoft Q&A.

    Legacy Azure MFA (which is Per-User MFA) is also part of Microsoft Entra MFA. So, if your users have it enabled, they will be able to meet Microsoft MFA requirements. This doc has more information about it: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates?source=recommendations

    Also, you mentioned that Entra MFA has its own issues, I just wanted to understand if you are experiencing issues with the Entra Id MFA feature or with the Entra ID MFA documentation. I'd be glad to try to understand your issue and to help you if needed.

    Thanks,

    Fabio

    0 comments
  2. Raja Pothuraju 7,135 Reputation points Microsoft Vendor
    2024-08-20T15:08:23.2766667+00:00

    Hello @Sean Eddingfield,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I see you’re referring to the recent announcement on MFA enforcement, specifically the planning for mandatory multifactor authentication for Azure and other administration portals by October 15, 2024. You’re wondering whether legacy MFA enforcement will still be accepted.

    As @Fabio Andrade mentioned, if MFA is enabled for user accounts through per-user MFA settings, it will comply with the new MFA enforcement, and there will be no disruption after the enforcement.

    However, I'd like to explain this further and provide an alternative approach to identifying users who might be affected by this feature.

    Azure Services Requiring MFA with the New Enforcement:

    This MFA enforcement will roll out in two phases:

    Phase 1: Starting in October 15, 2024, enforcement for MFA at sign-in for the Azure portal , Entra portal and Intune portal will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI , Azure PowerShell and IaC tools. This phase is expected to last until March 2025.

    Phase 2: Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell and Infrastructure as Code (IaC) tools will gradually roll out to all tenants.

    This MFA requirement will be implemented in addition to any existing access policies in your tenant. For instance:

    • If you’ve retained Microsoft’s security defaults and have them enabled, your users will see no change in behavior since MFA is already required for Azure management.
    • If you’re using Conditional Access policies in Microsoft Entra and have a policy requiring MFA for Azure sign-ins, your users will not experience any changes.
    • If you have more restrictive Conditional Access policies requiring stronger authentication (e.g., phishing-resistant MFA), those policies will continue to be enforced without changes.

    Preparing for Enforcement:

    Before this enforcement is applied, ensure that nothing breaks for users in your tenant. Identify any users who are accessing the Azure Portal, Intune portal, or Entra portal without MFA, and inform them in advance to register for an available MFA method. All supported MFA methods are available for you to use, and there are no changes to the authentication method features as part of this requirement.

    Identifying Users Signing into Azure with and without MFA:

    Use these App IDs in your queries:

    • Azure portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
    • Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
    • Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2
    • Azure mobile app: 0c1307d4-29d6-4389-a11c-5cbe7f65d7fa

    Regarding Per-User (Legacy) MFA:

    If you enforced MFA through the legacy MFA portal, make sure that MFA is enabled for all users in your tenant. This ensures that after the MFA enforcement rolls out on October 15, 2024, your users will not experience any issues or disruptions when accessing the Azure Portal, Entra portal, and Intune portal. It’s important to confirm that your users are registered with any available authentication methods to complete MFA. The enforcement won’t check through which access policy MFA is enabled.

    Additional Resources: For more information, please refer to the following articles and YouTube video:

    Planning for mandatory multifactor authentication for Azure and other administration portals

    What the Required MFA announcement really means. on YouTube (3rd party resource).

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.