Microsoft Azure is announcing the start of Phase 2 multifactor authentication enforcement at the Azure Resource Manager layer, starting October 1, 2025.
As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical, and at Microsoft, your security is our top priority. Microsoft research shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available.
As announced in August 2024, Azure started to implement mandatory MFA for Azure Public Cloud sign-ins. By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats as part of Microsoft’s commitment to enhance security for all customers, taking one step closer to a more secure future.
As previously announced, Azure MFA enforcement was rolled out gradually in phases to provide customers with enough time to plan and execute their implementations:
- Phase 1: MFA enforcement on Azure Portal, Microsoft Entra admin center, and Intune admin center sign-ins.
- Phase 2: Gradual enforcement for MFA requirement for users performing Azure resource management operations through any client (including but not limited to: Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools).
We are proud to announce that multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025. Now, Azure is announcing the start of Phase 2 MFA enforcement at the Azure Resource Manager layer, starting October 1, 2025. Phase 2 enforcement will be gradually applied across Azure tenants through Azure Policy, following Microsoft safe deployment practices.
Starting this week, Microsoft sent notices to all Microsoft Entra Global Administrators by email and through Azure Service Health notifications to notify the start date of enforcement and how to prepare for upcoming MFA enforcement.
Customer impact
Users will be required to authenticate with MFA before performing resource management operations. Workload identities, such as managed identities and service principals, aren’t impacted by either phase of this MFA enforcement.
Learn more about the scope of enforcement.
How to prepare
1. Enable MFA for your users
To ensure your users can perform resource management actions, enable MFA for your users by October 1, 2025. To identify which users in your environment are set up for mandatory MFA, follow these steps.
2. Understand potential impact
To understand potential impact ahead of Phase 2 enforcement, assign built-in Azure Policy definitions to block resource management operations if the user has not authenticated with MFA.
Customers can gradually apply this enforcement across different resource hierarchy scopes, resource types, or regions.
3. Update your Azure CLI and PowerShell clients
For the best compatibility experience, users in your tenant should use Azure CLI version 2.76 and Azure PowerShell version 14.3 or later.
