Microsoft is now requiring MFA… are you prepared to change how you log in?
As Microsoft gears up to enforce mandatory Multi-Factor Authentication (MFA) this October, many organizations are bracing for the transition. This pivotal change is set to bolster security, but it also brings with it a wave of questions and challenges.
If you’re wondering how to navigate this shift effectively, you’re not alone.
What is Multifactor authentication (mfa)?
Microsoft describes Multi-Factor Authentication simply with the phrase “prove it’s you with two.” A user must provide at least two of the following methods of verification: something you know, something you have, or something you are.
- “Something you know” refers to passwords and security questions
- “Something you have” refers to a cell phone for SMS, a phone line to receive a call, an authenticator app, an email account, etc.
- “Something you are” refers to face ID, fingerprint scans, and the like.
Identity verification in this format is becoming a baseline standard for cybersecurity across all digital platforms.
As you’ve likely noticed, most apps or accounts online require MFA. It has become an industry standard because of its immense reduction of risk for users and organizations.
Is MFA Really That Important?
The breadth of protection from this relatively simple security measure cannot be overstated. MFA mitigates:
- Brute-force attacks
- Phishing
- Other common hacking methods
With MFA, one compromised password no longer leads to immediate catastrophe. Even if a password is guessed correctly, a hacker or malware is still forced to bypass the second method of identity verification.
Consider these facts:
- 31% of all cyberattacks target businesses with 250 or fewer employees (CRC Group)
- Microsoft reports over 300 million fraudulent sign-in attempts to their cloud services daily
- Implementing MFA can make you 99% less likely to get hacked, according to Microsoft
So, even if your business is just you, MFA is a must-do.
How Is Microsoft Requiring MFA?
In response to growing cyberattacks, Microsoft launched their “Secure Future Initiative” in November of 2023. This is essentially a prolonged plan to increase security measures.
One of the pillars of this initiative aims to “protect identities and secrets”, and Multi-Factor Authentication is a central part of it. There are two phases of Microsoft requiring MFA: [quoted from Microsoft directly]
- Phase 1: As-of October 15, 2024, Azure Portal, Microsoft Entra ID Admin Center, and Intune Admin Center will require Multi-Factor Authentication for all logins. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure as Code (IaC) tools.
- Phase 2: Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.
Important Update on MFA Enforcement
Microsoft has recently clarified that MFA will be required for:
- Azure Portal, Microsoft Entra ID Admin Center, and Intune Admin Center
This means that any service or admin accounts previously excluded from MFA will need to configure it. You can postpone the enforcement to March 15, 2025 but the application must be submitted before the October date.
Once October 15th comes around, those accounts without MFA configured will be forced to enroll in MFA upon login.
If not completed correctly, this process could be disruptive to tenant management. Critical applications without a plan in place for allowing MFA uniformly may need to request more time for enforcement.
Without properly understanding and preparing your Microsoft suite, Microsoft enforcing MFA could be greatly disruptive to your business operations. It is crucial to understand the roles of your users, who is and needs to be an administrator, and what methods of MFA should be utilized.
Emergency Accounts and MFA
As part of the MFA enforcement rollout, emergency accounts (also known as break glass accounts) will also need to be registered with MFA. Microsoft strongly recommends configuring different authentication methods for at least one of the emergency accounts in your organization.
Specifically, administrators are advised to update emergency accounts to use FIDO2 or certificate-based authentication methods. This ensures that even in critical situations, your organization maintains a high level of security while still having access to essential resources.
How Do I Implement MFA?
There are many ways to implement MFA in Microsoft environments, and you may have it configured using any of the ones listed here:
- Per-User MFA
- Conditional Access P0licy MFA
- Security Defaults Enforced MFA
The process can be as simple as flipping a switch. However, it’s crucial to consider the implications for different types of accounts:
- Regular user accounts
- Service accounts
- Emergency admin accounts
Tailoring MFA methods based on user roles, security groups, and privileges is essential.
For example, employees with access to high-risk information might use a sophisticated MFA app with more stringent periods of authentications, while service accounts could use a more universally accessible format like a Third-Party Software One-Time Password (OTP).
Keeping your MFA Methods Up to Date
As Microsoft enforces MFA across its platforms, it’s crucial to ensure that your MFA methods are current and accessible. Here are some key points to remember:
- Regularly review and update your MFA methods: Set a schedule to check and update your MFA methods, especially for critical accounts.
- Maintain access to your primary MFA method: If you lose access to your primary MFA method (e.g., you change phone numbers or lose your authenticator device), you may be locked out of your tenant. Always keep your MFA information current.
- Set up backup MFA methods: Where possible, configure multiple MFA methods. This provides a fallback option if your primary method becomes unavailable.
- Educate your team: Ensure all users understand the importance of maintaining their MFA methods and know how to update them.
- Plan for device upgrades: When upgrading phones or other devices used for MFA, make sure to transfer or reconfigure your MFA settings.
Remember, if you don’t have access to your primary MFA method when Microsoft enforces the new requirements, you won’t be able to log into your tenants. Stay proactive and keep your authentication methods up to date to avoid any disruption to your business operations.
What to do if you're Locked Out Due to MFA Issues
Despite best efforts, you might find yourself in a situation where you’ve lost access to your MFA method and are locked out of your Microsoft environment. Here’s what you can do:
- Use Backup MFA Methods: If you’ve set up multiple MFA methods (as recommended), try using your backup method to gain access.
- Self-Service Password Reset (SSPR): If your organization has enabled SSPR, you may be able to reset your password and reconfigure your MFA method. Visit the Microsoft account recovery page to start this process.
- Contact Your IT Department or Microsoft 365 Administrator: If you’re unable to regain access through self-service methods, reach out to your organization’s IT support or Microsoft 365 administrator. They can:
- Temporarily disable MFA for your account
- Reset your MFA settings
- Provide a temporary access pass
- Use Emergency Access Accounts: If you’re an administrator and have set up emergency access or “break glass” accounts, use these to regain access to your environment. Remember, these accounts should be carefully secured and their use should be strictly monitored.
- Contact Microsoft Support: If none of the above options work, you may need to contact Microsoft Support directly. Be prepared to verify your identity through alternative means.
- Prevent Future Lockouts: Once you regain access, immediately set up multiple MFA methods and keep them updated to prevent future lockouts.
Remember, prevention is always better than cure. Regularly updating your MFA methods and having backup options can save you from the stress and potential business disruption of being locked out of your account.
Is MFA Enough to Keep my Business Safe?
Multi-Factor Authentication is a great place to start, but there are other measures you can implement to improve your organization’s security. Microsoft offers many security features that you might not be aware of. In fact, our experience working with other MSPs revealed that only 40% of service providers fully secure their Microsoft suites.
Transitioning to mandatory MFA doesn’t have to be a daunting task. With 917 Solutions, you gain a partner who not only helps you meet the new requirements but also enhances your overall security posture. Our approach includes:
In-Depth Security Assessments:
We start with a thorough evaluation of your current security posture. This helps us identify potential vulnerabilities and areas where additional protection is needed. Our goal is to ensure that no critical aspects of your security are overlooked.
Custom Security Strategies:
Every organization’s needs are unique. We tailor our security strategies to leverage the full suite of Azure’s security features. Often, these tools are underutilized or neglected, but with our expertise, you’ll get the most out of them. From advanced threat protection to identity and access management, we ensure you are using Azure’s capabilities to their fullest potential.
Ongoing Optimization and Support:
Implementing MFA is just the beginning. Cyber threats evolve, and so should your security measures. We provide continuous monitoring and optimization to adapt to new threats and ensure that your security infrastructure remains robust and effective.
Don’t wait until October to act. Now is the time to start planning and implementing your MFA strategy. Contact 917 Solutions today to learn more about how we can support your transition and optimize your Azure security.
Ready to secure your Microsoft 365? Reach out to 917 Solutions for a consultation and let us help you stay ahead of the curve.
