Azure MFA Becomes Mandatory: Microsoft Launches Phase 2

Accounts used as service accounts are a thing of the past: prioritize managed identities or service principals.

At Microsoft, this recommendation is not new. But there are occasions to spotlight it again. Among them is the imminent launch of Phase 2 of the program to generalize MFA usage across Azure.

Phase one began in October 2024 and will end on September 30, 2025. MFA will then be required for all accounts that connect to the Azure portal, the Entra admin center, and the Intune admin center to perform any CRUD operations (create, update, delete). It will also be required in the Microsoft 365 admin center, whose deployment had started later (February 2025).

Customers with “complex environments” and/or facing “technical barriers” had the option to defer the deadline, making September 30, 2025 the final date.

The MFA from PowerShell to Terraform

The same tolerance will apply to Phase 2. Initially slated to begin early 2025, it will actually start on October 1. In the end, MFA will be mandatory for the accounts that connect to Azure via the CLI, PowerShell, the mobile app, IaC tools, the SDKs or API endpoints. Also for CRUD operations.

Admins can defer the deadline in three‑month increments, up to July 2026. They should ensure, to avoid compatibility issues, that they have sufficiently recent versions of the CLI (at least 2.76, i.e., the current version) and of PowerShell (14.3; same note).

The MFA requirement covers automations that operate using user accounts — hence the recommendation to migrate to workload identities, which are not affected.
Backup accounts must also move to MFA (Microsoft recommends authentication via passkeys or certificates). There are no exemptions for B2B guest users either.

To prepare, you can configure an access control policy that requires MFA. This feature, however, is reserved for Entra ID P1 and P2 licenses; if not, default security settings will be activated.

All of this applies to the public Azure cloud. Not to sovereign GovCloud offerings.