[German]Microsoft is forcing/moving Azure AD customers to MFA authentication as a security standard within days. A German blog reader just informed me that he (as a global Azure AD admin) received a notification from Microsoft and that his organization will be migrated to this security standard on May 8, 2023.
German blog reader Rene H. just contacted me via email to let me know about the Azure AD security standard transition. Under the subject line "Important: We will enable security enhancements for your organization by May 8, 2023." he has received a notification from Microsoft that alerted also other German admins. Rene wrote (I've translated his text and the notification):
Hello, we just received the information below, which seems to have no alternative.
And then in this unmanageable time window.
Do you know anything about this procedure? The organization is quite large, an introduction of MFA in the time frame not feasible at all.
Nothing can be found on Google either when I enter the context of the subject.
Should this really be genuine, as it looks like, some would certainly have a problem with the forced MFA as well.
Then probably only "Conditional Access" would remain, with a suitable license.
Thank you for your highly interesting blog posts,
The topic is documented by Microsoft as of October 26, 2022 in the support article Security defaults in Azure AD. However, it only states that Microsoft is making the security standard in Azure AD available to everyone. In other words, the switch to multifactor authentication (MFA) for Azure Active Directory is coming. The background is that identity-based attacks such as password spray and replay attacks, as well as phishing, are common attack methods today. Microsoft writes that more than 99.9 percent of these identity-related attacks are stopped using multi-factor authentication (MFA) and by blocking legacy authentication.
Microsoft's goal is to ensure that all organizations using Azure AD have at least a basic level of security enabled at no additional cost. The support post Security defaults in Azure AD details who is eligible for this switch to MFA, who shouldn't use it, and how administrators switch to MFA. Here is, what Microsoft has send to several global Azure AD administrator (I've translated the text):
The Security Standards setting for your client will be enabled until May 8, 2023.
You are receiving this email because you are a global administrator.
To protect your organization, we are constantly working to improve the security of Microsoft Cloud Services. In this regard, we are enabling the "Security Standards" setting in your tenant, which includes multi-level authentication. This can block more than 99.9 percent of identity attacks that try to compromise your accounts.
If you log in to your account between April 24, 2023 and May 8, 2023, you will be prompted to proactively enable the security standards. If you have not logged in or enabled this setting by the end of this timeframe, we will automatically enable it for you.
After the setting is enabled, all users in your organization must enroll in multi-factor authentication. To avoid confusion, you should inform your users what to expect:
– When users log in to their account, they are prompted to install the Microsoft Authenticator app. They can choose to install the app immediately and complete the steps to register their account, or they can defer the process to a later time. The option to defer will disappear after 14 days.
– They will need to follow the Microsoft Authenticator app setup steps to download the app to their mobile device, and register their account in the app.
German administrator wrote, that a global Azure AD administrator can disable the switchover and also specify the MFA method for authentication. Some mentioned the "number matching" rollout announced by Microsoft as a root cause.
Yannic Graber brought it up in the post Number Matching MFA Rollout, mentioning that the rollout was announced on January 22, 2023, starting February 27, 2023, and was to be implemented in fairly short order (the post here was published on April 10, 2023,). The following note can be read there:
Note: Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.
We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.
This is the date mentioned in the above mail from Microsoft.
Cookies helps to fund this blog: Cookie settings