Microsoft recently announced changes regarding Multi-Factor Authentication (MFA) for Azure management. This has caused some confusion, so let’s break down what these changes mean and how they will impact you.
The Scope of Required MFA
The key point of Microsoft’s announcement is that MFA will now be required for all users interacting with specific Azure management tools. These tools include the Azure portal, Azure CLI, Azure PowerShell module, and Terraform when deploying to Azure. This means that if you are accessing these tools, you will need to go through MFA regardless of your role or permissions.
Who Does This Apply To?
The requirement applies to all users who are directly interacting with the Azure management tools. This includes:
- Regular Users: Anyone who uses the Azure portal, Azure CLI, PowerShell module, or Terraform for management purposes.
- Guest Users: Users from other tenants who are added as guests will also need to comply with MFA requirements. If these users have strong authentication claims from their home tenant, they may not need to perform MFA again, provided cross-tenant access settings are configured to trust those claims.
What Does This Not Apply To?
It’s important to note that this MFA requirement does not apply to services running on top of Azure. For example, if you are accessing a website, application, or service hosted on Azure, the MFA requirement is determined by the publisher of that service, not by Azure’s new policies.
Additionally, managed identities and service principals are not affected by this requirement. Managed identities, which are essentially service principals used for Azure resources, cannot perform MFA and are therefore excluded from this requirement.
Managed Identities and Service Principals
Managed identities and service principals are critical components in Azure’s security model:
- Managed Identities: These are used to provide Azure resources with an automatically managed identity in Azure Active Directory. This identity can be used to authenticate to any service that supports Azure AD authentication without managing credentials.
- Service Principals: These are used by applications to authenticate and access Azure resources. They are commonly used for automation and service-to-service communication.
While these identities are not subject to the new MFA requirements, it’s still recommended to use managed identities where possible due to their security benefits and ease of management. For service principals, additional security can be added using Azure AD’s workload identity premium features, which allow conditional access policies and identity protection.
Exceptions and Edge Cases
There are some scenarios where the new MFA requirements might need adjustments or exceptions:
- Break Glass Accounts: These are emergency accounts used to gain access when regular accounts are unavailable. Traditional guidance suggested using long passwords stored securely, but with MFA requirements, the use of hardware tokens like FIDO keys is recommended.
- Educational Institutions: Schools where students cannot use phones might face challenges with MFA. In such cases, hardware tokens can be an alternative solution.
MFA Methods
Microsoft’s new policy does not change the types of MFA methods available. The allowed methods depend on the user’s license. Common methods include:
- Authenticator App: Software tokens provided by Microsoft Authenticator or similar apps.
- Text or Voice Calls: Available with certain premium licenses, though not recommended due to security concerns.
- Passwordless Options: FIDO2 security keys and Windows Hello are strong, phishing-resistant methods.
Federated authentication and external authentication methods (e.g., Duo, RSA, Ping) are also supported, ensuring that strong authentication claims are accepted.
Enforcement and Conditional Access
The enforcement of this policy is handled by the Azure resource provider, requiring MFA for accessing the specified management tools. This enforcement is separate from any conditional access policies you may have. Conditional access policies are cumulative, meaning they will apply alongside the new MFA requirement. If your policy requires a known device or phishing-resistant MFA, those requirements will still need to be met in addition to the mandatory MFA.
Rollout Timeline and Notifications
The rollout of this requirement will begin in July 2024 and will be phased. Not all users will be impacted simultaneously; notifications will be provided through emails, portal notifications, and other official communication channels.
Microsoft is also working on tools to help administrators identify which users currently use single-factor authentication for accessing Azure management tools. This will help in planning and mitigating any disruptions.
Summary
Microsoft’s new MFA requirement is a significant step towards enhancing security for Azure management. By requiring strong authentication for access to critical management tools, they aim to reduce the risk of unauthorized access. While this might require some adjustments, especially in edge cases, the overall impact is a more secure Azure environment.
For most users, this means ensuring their MFA methods are set up and functioning correctly. Administrators should review their current authentication practices and prepare for the changes by July 2024. The key takeaway is that while this requirement adds a layer of security, it does not change the existing methods of MFA or disrupt the way conditional access policies function.