Microsoft Announces Changes to MFA and Authentication Management
Microsoft has announced two significant changes to how authentication is managed in Entra ID (formerly Azure Active Directory).
Microsoft has announced two significant changes to how authentication is managed in Entra ID (formerly Azure Active Directory). These updates introduce stricter requirements for secure access and affect how admins configure and enforce authentication policies.
Here’s a breakdown of what’s changing, when it takes effect, and the steps your team should take to stay compliant and secure.
Mandatory MFA for all Azure sign-in attempts
What’s changing?
Beginning 1st September 2025, all logins to several key Azure and Microsoft services will require the use of Multi-Factor Authentication, unless a stronger method such as passwordless or passkey (FIDO2) is in use. This requirement applies to the following applications:
- Azure Portal
- Entra admin center
- Intune admin center
- Azure command-line interface (Azure CLI)
- Azure PowerShell
- Azure mobile app
- Infrastructure as Code (IaC) tools (e.g., Terraform, Bicep, ARM)
- REST API * (Control Pane – for Create, Update, or Delete operations)
- Azure SDK
* Note: Read-only operations remain unaffected
What does this mean?
New and existing users and accounts, including break-glass, which aren’t using MFA will be unable to access the above Applications without first setting it up.
Scripts or tools using older authentication methods without MFA, such as Resource Owner Password Credentials (ROPC) or client secret-only authentication, will fail when attempting write operations.
What should you do?
To prepare:
- Audit all accounts, automation scripts, pipelines, and tooling for compatibility with MFA
- Update them to use modern authentication options, such as managed identities or federated credentials
- Review and refine Conditional Access policies to ensure alignment with the new requirements
Learn more:
Conditional Access MFA Policy Guide
Plan for mandatory Microsoft Entra multifactor authentication (MFA)
Deprecation of Legacy MFA and SSPR Policies
What’s changing?
Starting on 30th September 2025, the legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies will be retired. After this date you will no longer be able to manage authentication methods such as SMS or the Microsoft Authenticator app through these legacy configurations.
What should you do?
Microsoft recommends migrating to the modern Authentication methods policy in Entra ID, which provides a unified and more granular approach to managing authentication. With this newer framework, you can centrally define which methods are allowed, for which users, and under what conditions.
Important: There is no automatic migration. You’ll need to transition manually.
Learn more:
Authentication Methods Policy Documentation
How Can Ekco Support You?
These changes will apply to all accounts accessing the above applications, and action should be taken to ensure continuity of existing workloads and processes.
If you’re unsure about your current configuration or need help transitioning to the new policies, Ekco is here to help. Our team can support you with assessments, policy migration, and automation updates to ensure you remain secure and compliant.
Need help? Reach out to your Ekco Account Manager or contact us for tailored guidance.

Question?
Our specialists have the answer