Microsoft says it has been enforcing multifactor authentication (MFA) for Azure Portal sign-ins across all tenants since March 2025.The company’s Azure MFA enforcement efforts were [announced in May 2024](https://www.bleepingcomputer.com/news/microsoft/microsoft-will-start-enforcing-azure-multi-factor-authentication-MFA-in-july-2024/) when Redmond began implementing mandatory MFA for all users signing into Azure to administer resources.One year ago, in August 2024, Microsoft also warned Entra global admins [to enable MFA for their tenants](https://www.bleepingcomputer.com/news/microsoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/) by October 15, 2024, to ensure users don’t lose access to admin portals.After completing the rollout for Azure portal sign-ins, the company [will begin enforcing MFA](https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enforce-mfa-for-azure-resource-management-in-october/) on Azure CLI, PowerShell, SDKs, and APIs in October 2025 to protect users’ accounts against attacks.’We are proud to announce that multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025,’ Microsoft [said](https://azure.microsoft.com/en-us/blog/azure-mandatory-multifactor-authentication-phase-2-starting-in-october-2025/) on Friday.’By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats as part of Microsoft’s commitment to enhance security for all customers, taking one step closer to a more secure future.’These changes follow a [November 2023 announcement](https://www.bleepingcomputer.com/news/microsoft/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access/) that Microsoft would soon roll out Conditional Access policies requiring MFA for all admins when signing into Microsoft admin portals (including Entra, Microsoft 365, Exchange, and Azure), for users on all cloud apps, as well as for high-risk sign-ins.As part of the same effort to boost MFA adoption, Microsoft-owned GitHub has [begun enforcing two-factor authentication (2FA)](https://www.bleepingcomputer.com/news/security/github-makes-2fa-mandatory-next-week-for-active-developers/) for all active developers starting in January 2024.A [Microsoft study](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/MFA-Microsoft-Research-Paper-update.pdf) from two years ago found that 99.99% of accounts protected by MFA successfully fend off hacking attempts and that MFA also lowers the likelihood of account compromise by 98.56%, even when attackers attempt to use stolen credentials.’Our goal is 100 percent multifactor authentication,’ former Microsoft VP of Identity Security Alex Weinert [said](https://www.microsoft.com/en-us/security/blog/2023/11/06/automatic-conditional-access-policies-in-microsoft-entra-streamline-identity-protection/) at the time. ‘Given that formal studies show multifactor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication.’  [Picus Blue Report 2025 is Here: 2X increase in password cracking](https://hubs.li/Q03B5Kw_0)———————————————————————————————46% of environments had passwords cracked, nearly doubling from 25% last year.Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.[Get the Blue Report 2025](https://hubs.li/Q03B5Kw_0) ### Related Articles:[Microsoft to enforce MFA for Azure resource management in October](https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enforce-mfa-for-azure-resource-management-in-october/)[Storm-0501 hackers shift to ransomware attacks in the cloud](https://www.bleepingcomputer.com/news/security/storm-0501-hackers-shift-to-ransomware-attacks-in-the-cloud/)[MFA matters… But it isn’t enough on its own](https://www.bleepingcomputer.com/news/security/mfa-matters-but-it-isnt-enough-on-its-own/)[Hackers abused API to verify millions of Authy MFA phone numbers](https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/)[Threat actors try to downgrade FIDO2 MFA auth in PoisonSeed phishing attack](https://www.bleepingcomputer.com/news/security/threat-actors-try-to-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/)
Related Tags:
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 516 – Broadcasting And Content Providers
NAICS: 51 – Information
Blog: BleepingComputer
Phishing
Modify Authentication Process: Multi-Factor Authentication
Modify Authentication Process
Associated Indicators: