Microsoft is implementing several significant security and authentication updates across its enterprise platforms throughout 2024 and 2025, building on its ongoing efforts to strengthen identity protection. A major change involves the enforcement of multifactor authentication (MFA) for Microsoft Entra, previously known as Azure Active Directory, which will roll out in two phases. The first phase, beginning in the second half of 2024, will require MFA for users accessing the Microsoft Entra admin center, Azure portal, and Intune admin center. The second phase, starting in early 2025, will extend MFA requirements to the Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code tools.
The mandatory MFA implementation follows recent CISA directives for federal agencies that mandate enhanced Microsoft 365 protection measures. The change supports Microsoft’s broader identity management strategy, which includes its development of decentralized identity solutions based on blockchain technology.
As part of its security hardening efforts, Microsoft has implemented restrictions on permissions for the Directory Synchronization Accounts role, which affects Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync services. The modification to the synchronization process between Active Directory objects and Microsoft Entra ID requires no action from customers, though it represents a significant step in reducing potential attack surfaces.
User experience improvements are also forthcoming, with a planned update to the My Security-Info Add sign-in method dialog scheduled for mid-October 2024. The redesigned interface will feature a modern aesthetic and include detailed descriptions for each authentication method, while automatically suggesting the most robust sign-in options based on organizational policies. The update coincides with Microsoft’s new persistent account sign-in system planned for February 2025.
For developers working with Microsoft Entra ID tokens, the Microsoft Authentication Library (MSAL) continues to offer two primary authentication methods: the authorization code flow and the username-password flow. The authorization code flow uses browser-based authentication, while the username-password flow requires Azure application configuration and MSAL Python library implementation. The authentication flows are designed to work seamlessly with Microsoft’s expanding ecosystem of identity and access management tools.
Microsoft’s new Administrator Protection (AP) initiative introduces enhanced security boundaries between elevated and non-elevated user contexts. The system operates on the Principle of Least Privilege, ensuring administrator privileges are temporary and requiring explicit elevation actions for administrative tasks. The approach matches recommendations from security agencies like the NSA and CISA regarding the implementation of robust identity management in cloud environments.
The developments coincide with broader industry security updates, including patches from various vendors addressing authentication, validation, and permissions vulnerabilities across different platforms and applications. The changes reflect an industry-wide shift toward stronger authentication requirements, as evidenced by similar moves from other technology providers to enhance their security protocols.
Sources: Microsoft Learn, Microsoft Azure Documentation, Microsoft Tech Community, CISA
Follow Us