News

Microsoft Aims To Make Multifactor the Default for Azure AD

A new feature preview represents the next step in Microsoft's plan to make multifactor authentication (MFA) the default verification option for its Azure Active Directory (AD) identity management service.

Besides using a password, MFA models typically require users to answer an automated phone call or respond to a text message before they're granted access to an account. Microsoft's plan is to make MFA a "baseline policy" for all organizations with Azure AD account administrators.

Last week, Microsoft announced that it is previewing MFA for protecting "privileged Azure AD accounts." By privileged accounts, Microsoft is referring to the IT pro administrator user accounts that an organization uses to manage AD.

The preview currently can be accessed within the Azure Portal by going to the Conditional Access blade. There's an option in there to turn on the baseline policy and "Require MFA for administrators." The interface lets organizations specify which Azure AD administrators will be subject to using MFA. The options include:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional access administrator
  • Security administrator

While this feature is currently at the preview stage and it's optional to try it, Microsoft is planning to make it a default setting for organizations when it's deemed to be at the "general availability" (or production-ready) stage. Here's how Microsoft described that coming change for Azure AD tenancies:

After general availability, we're going to opt you into the policy by default but provide you [with] the configuration to opt out at any time. We highly recommend you opt into the policy immediately.

Presumably, MFA will be a default feature only for organizations that have the proper use rights. According to Microsoft's Azure AD pricing page, MFA is only offered with Premium P1 and P2 Azure AD plans.

Microsoft isn't just an advocate for using MFA with the Azure AD service. It's also recommending its use when administering other services, such as Exchange Online. In a Friday Microsoft Tech Community post, Jeff Sun of Microsoft argued that MFA and encryption were seen as the two biggest obstacles for attackers, and he urged Office 365 tenancies to activate MFA when administering Exchange Online.

Organizations can enable MFA for Exchange Online through the Office 365 Admin CenterSecurity and Compliance Center and Exchange Admin Center. It's more complicated to enable MFA when organizations have automated their Exchange Online administration using PowerShell, he noted.

Sun advocated using additional Microsoft security solutions to administer Exchange Online beyond MFA, namely:

The use of those features, of course, requires having the licensing in place beyond an Office 365 subscription.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.