Multi-Factor Authentication (MFA) is Required by Microsoft for Azure Users
Microsoft has recently announced a significant security update in their latest blog post, “Microsoft will require MFA for all users in Azure” While the article touches on the changes, it doesn’t fully dive into the specifics or the broader impact it has on users. In this post, we will explore additional sources to provide an overall understanding of the upcoming changes, who will be affected, and the reasons behind this new requirement.
![MFA](https://ellipsesolutions.com/wp-content/uploads/2024/07/Blog-Post-Template-3-45-1024x538.png)
What is MFA?
Multi-factor authentication is a security method that requires users to provide two or more pieces of evidence of their identity before gaining access to a service or resource. Microsoft states that 99.9% of Azure compromises happen when accounts do not use MFA.
MFA is usually a collection of two or more of “something you know” and/or “something you have” and/or “something you are”. “Something you know” being a username and password. “Something you have” being a device such as a laptop with a TPM chip, your phone with a text message or Authenticator app, or a hardware token. “Something you are” could be a fingerprint or face ID.
What is Changing?
Users accessing Azure administrative functions such as the portal, CLI, PowerShell, or a deployment tool such as Terraform will be required to have MFA enabled and perform an MFA check before accessing and performing activities. Users who are just consuming a resource hosted on Azure are not affected. For example: if a user deploys an app to Azure, MFA will be required. If a user uses that app, MFA will not be required (but may still be a good idea to implement).
This is affecting user accounts and guest accounts who have access to your Azure tenant. Think humans logging into Azure, not service principles. If you are using a user account to run services or automation in Azure, you will want to move them over to Managed Identities or Service principles before this changeover.
What are Managed Identities and Service Principles?
Service Principles are security objects within a Microsoft Azure Application. They define what an application can do in each tenant. Think of it as having the application authenticate itself instead of using a user’s authentication. These are great in power automation flows.
Managed identities are more like the classic service account. You can create a user-assigned managed identity that can run multiple azure resources. You can give this identity roles and permissions and then have it run your services. You can also have system-assigned managed identities for things like a VM or Azure Function, where Azure handles all authentication you just give it permissions.
Both Service principles and Managed Identities can be managed from within your Azure DevOps Environments.
What about my Existing Conditional Access Policies?
The new Azure MFA requirement will be cumulative with existing conditional access or security default policies. If you have a policy that says a user can access Azure resources if on a company owned device while on the company IP address, they will still be required to complete those, but will also have to complete an MFA prompt.
All existing MFA providers will continue to work, if you are using Duo, you can still use duo.
What about the Break Glass Account?
Traditionally Microsoft has heavily encouraged having a break glass account for a Global Admin that is not required to have an MFA, however, they changed this a couple of years ago. The policy now is to have a separate MFA policy just for this account. The example they give is: If your company uses the Microsoft Authenticator app for all MFA; use a Hardware token locked in a safe for your break glass account. This ensures that if something goes wrong with the Authenticator App, you will still have access to the break glass account.
MFA is Coming: What do I Need to do Now?
If you do not have MFA enabled in your tenant you can reach out to your trusty Solutions Partner here at Ellipse Solutions or take a look at Microsoft MFA wizard https://aka.ms/EntraIDMFAWizard . Microsoft has already begun to roll this out, so don’t delay!
Additional Resources:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391
Microsoft To Require Multifactor Authentication for Azure Users — Redmondmag.com
What the Required MFA announcement really means. (youtube.com)
Use service principals & managed identities – Azure DevOps | Microsoft Learn
Require MFA for Azure management with Conditional Access – Microsoft Entra ID | Microsoft Learn