If you’ve raised kids, you’re familiar with this scenario: you know, based on your life experience, that your child or grandchild should do a specific important thing. You don’t want to make them do it; you want them to understand its importance and do it on their own initiative. After some time passes, with them still not doing whatever it is, you sigh and… make them do it.
Guess what? We’re deep into that scenario now, with Microsoft as the loving but firm parent and all of us Microsoft 365 tenant admins as the recalcitrant children.
MFA Comes For Us All
I won’t recap the dismal statistics on the adoption of MFA in Microsoft’s services; there are plenty of data points showing how slow adoption has been. Although the recent trend is somewhat encouraging, it’s apparently not encouraging enough for Microsoft because, starting in February 2025, they’re going to enforce MFA for all access to the Microsoft 365 admin center—both for users and administrators. (See Message Center notification MC933540 for details). This follows on the heels of a similar enforcement program for access to the Azure admin center, which kicked in on October 15, 2024.
This may seem like an overreach on Microsoft’s part, but the cold truth is that too many accounts are being compromised by credential theft, password sprays, and other attacks that exploit accounts that don’t have MFA configured. The best way to efficiently block these attacks is to require MFA.
Impact on Users and Administrators
If you’ve already enforced MFA for your users and administrators, then this change will have no effect, and you can stop reading this page and go pet a dog instead. For example, if your tenant was created after October 2019, and you’re configured to use the Microsoft Security Defaults, your users should already be subject to MFA and there’s nothing for you to do now.
Statistics show that most of the people reading this haven’t enforced MFA, though; if that’s you, the first thing you need to know is what impact this change will have. Simply put, starting on February 3, 2025, accounts that don’t have MFA enabled (and at least one authentication method set) won’t be able to sign in to the M365 admin center. That will stop your administrators from doing much of anything useful, plus it will prevent users from being able to download Office 365, review their sign-ins, and use the other user-facing admin center features.
Note that, as with most other Microsoft security changes, the rollout starts on February 3; it may not apply to your specific tenant on that date. Microsoft hasn’t said whether there are different rollout dates for academic or government tenants, or in different regions, but it’s common to see some date drift due to the size of the service.
This change does not yet apply to individual users, nor does it apply to accounts that access Graph or PowerShell. However, it does apply to break-glass accounts. For those accounts, Microsoft recommends setting up passkeys or certificate-based authentication (either of which is a good idea for all accounts that have elevated permissions).
Putting off the Inevitable?
As they did with Azure MFA enforcement, Microsoft will allow you to apply for a postponement of this date. Filling out that form for Azure portal access granted a 5-month postponement (from October 2024 to March 2025); Microsoft hasn’t said exactly how long the postponement will be in this case but it probably won’t be very long. I wouldn’t count on getting a long delay, nor on being able to ask for multiple postponements.
Meeting Microsoft’s Requirements
At this point, your best bet is probably to rip off the Band-Aid and configure MFA for your tenant if you haven’t already. My preferred way to do that is via conditional access policies, so that you have more granular control over what methods and scope are acceptable for non-admin MFA, but whatever gets your admin users configured to support MFA will work. You don’t have to apply enforcement yourself, since Microsoft will do that for you. The minimum you need to do is to make sure that all your admins have at least one MFA method set up, which you can by having them go to https://aka.ms/mfasetup.
There is no word yet on whether Microsoft will require its customers to eat more vegetables, wash their hands more frequently, or get at least 8 hours of sleep a night… but stay tuned.
