Microsoft Announces Changes to MFA and Authentication Management

Microsoft has announced two significant changes to how authentication is managed in Entra ID (formerly Azure Active Directory). These updates introduce stricter requirements for secure access and affect how admins configure and enforce authentication policies.

Here’s a breakdown of what’s changing, when it takes effect, and the steps your team should take to stay compliant and secure.

 

Mandatory MFA for all Azure sign-in attempts

What’s changing?

Beginning 1^st September 2025, all logins to several key Azure and Microsoft services will require the use of Multi-Factor Authentication, unless a stronger method such as passwordless or passkey (FIDO2) is in use. This requirement applies to the following applications:

• Azure Portal
• Entra admin center
• Intune admin center
• Azure command-line interface (Azure CLI)
• Azure PowerShell
• Azure mobile app
• Infrastructure as Code (IaC) tools (e.g., Terraform, Bicep, ARM)
• REST API * (Control Pane – for Create, Update, or Delete operations)
• Azure SDK

* Note: Read-only operations remain unaffected

 

What does this mean?

New and existing users and accounts, including  break-glass, which aren’t using MFA will be unable to access the above Applications without first setting it up.

Scripts or tools using older authentication methods without MFA, such as Resource Owner Password Credentials (ROPC) or client secret-only authentication, will fail when attempting write operations.

 

What should you do?

To prepare:

• Audit all accounts, automation scripts, pipelines, and tooling for compatibility with MFA
• Update them to use modern authentication options, such as managed identities or federated credentials
• Review and refine Conditional Access policies to ensure alignment with the new requirements

Learn more:
Conditional Access MFA Policy Guide

Plan for mandatory Microsoft Entra multifactor authentication (MFA)

 

Deprecation of Legacy MFA and SSPR Policies

What’s changing?

Starting on 30^th September 2025, the legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies will be retired. After this date you will no longer be able to manage authentication methods such as SMS or the Microsoft Authenticator app through these legacy configurations.

 

What should you do?

Microsoft recommends migrating to the modern Authentication methods policy in Entra ID, which provides a unified and more granular approach to managing authentication. With this newer framework, you can centrally define which methods are allowed, for which users, and under what conditions.

Important: There is no automatic migration. You’ll need to transition manually.

Learn more:
Authentication Methods Policy Documentation

 

How Can Ekco Support You?

These changes will apply to all accounts accessing the above applications, and action should be taken to ensure continuity of existing workloads and processes.

If you’re unsure about your current configuration or need help transitioning to the new policies, Ekco is here to help. Our team can support you with assessments, policy migration, and automation updates to ensure you remain secure and compliant.

Need help? Reach out to your Ekco Account Manager or contact us for tailored guidance.