If you’ve raised kids, you’re familiar with this scenario: you know, based on your life experience, that your child or grandchild should do a specific important thing. You don’t want to make them do it; you want them to understand its importance and do it on their own initiative. After some time passes, with them still not doing whatever it is, you sigh and… make them do it.
Guess what? We’re deep into that scenario now, with Microsoft as the loving but firm parent and all of us Microsoft 365 tenant admins as the recalcitrant children.
MFA Comes For Us All
I won’t recap the dismal statistics on the adoption of MFA in Microsoft’s services; there are plenty of data points showing how slow adoption has been. Although the recent trend is somewhat encouraging, it’s apparently not encouraging enough for Microsoft because, starting in February 2025, they’re going to enforce MFA for all access to the Microsoft 365 admin center—both for users and administrators. (See Message Center notification MC933540 for details). This follows on the heels of a similar enforcement program for access to the Azure admin center, which kicked in on October 15, 2024.
This may seem like an overreach on Microsoft’s part, but the cold truth is that too many accounts are being compromised by credential theft, password sprays, and other attacks that exploit accounts that don’t have MFA configured. The best way to efficiently block these attacks is to require MFA.
Impact on Users and Administrators
If you’ve already enforced MFA for your users and administrators, then this change will have no effect, and you can stop reading this page and go pet a dog instead. For example, if your tenant was created after October 2019, and you’re configured to use the Microsoft Security Defaults, your users should already be subject to MFA and there’s nothing for you to do now.
Statistics show that most of the people reading this haven’t enforced MFA, though; if that’s you, the first thing you need to know is what impact this change will have. Simply put, starting on February 3, 2025, accounts that don’t have MFA enabled (and at least one authentication method set) won’t be able to sign in to the M365 admin center. That will stop your administrators from doing much of anything useful, plus it will prevent users from being able to download Office 365, review their sign-ins, and use the other user-facing admin center features.
Note that, as with most other Microsoft security changes, the rollout starts on February 3; it may not apply to your specific tenant on that date. Microsoft hasn’t said whether there are different rollout dates for academic or government tenants, or in different regions, but it’s common to see some date drift due to the size of the service.
This change does not yet apply to individual users, nor does it apply to accounts that access Graph or PowerShell. However, it does apply to break-glass accounts. For those accounts, Microsoft recommends setting up passkeys or certificate-based authentication (either of which is a good idea for all accounts that have elevated permissions).
Putting off the Inevitable?
As they did with Azure MFA enforcement, Microsoft will allow you to apply for a postponement of this date. Filling out that form for Azure portal access granted a 5-month postponement (from October 2024 to March 2025); Microsoft hasn’t said exactly how long the postponement will be in this case but it probably won’t be very long. I wouldn’t count on getting a long delay, nor on being able to ask for multiple postponements.
Meeting Microsoft’s Requirements
At this point, your best bet is probably to rip off the Band-Aid and configure MFA for your tenant if you haven’t already. My preferred way to do that is via conditional access policies, so that you have more granular control over what methods and scope are acceptable for non-admin MFA, but whatever gets your admin users configured to support MFA will work. You don’t have to apply enforcement yourself, since Microsoft will do that for you. The minimum you need to do is to make sure that all your admins have at least one MFA method set up, which you can by having them go to https://aka.ms/mfasetup.
There is no word yet on whether Microsoft will require its customers to eat more vegetables, wash their hands more frequently, or get at least 8 hours of sleep a night… but stay tuned.
Morning,
Just reading this post and noticed the mention that users will be required to satisfy MFA to download the Office 365 apps.
Is this correct? Is there anything from Microsoft to support this?
Only, reading Microsoft’s post about this change https://techcommunity.microsoft.com/blog/microsoft_365blog/announcing-mandatory-multifactor-authentication-for-the-microsoft-365-admin-cent/4232568 it talks about MFA to access the 365 admin portal (which I believe is admin.microsoft.com).
However, users wishing to download Office apps visit portal.office.com.
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#scope-of-enforcement
I did also find this interesting, haven’t seen this in any other blog. But I think it’s incorrect that normal users are impacted as no such portals are mentioned. See the list of mfa enforced applications in the url above.
Tested last week and confirmed that users will be impacted when downloading Office 365. Checking the sign-in logs, I can see that Office downloads from the same App ID as the admin portal.
This has thrown a spanner in the works as Microsoft’s guidance always stated that end users would be unaffected by this unless they visited ‘admin’ portals.