Microsoft to Roll Out Mandatory MFA for Admins – Are You Ready?

Microsoft to Roll Out Mandatory MFA for Admins – Are You Ready?
Photo by Ed Hardie / Unsplash

Microsoft released a statement recently, which tells that they will require MFA for all Administrator accounts in your MS Tenant on October 15. Are you ready for this change?

You can find more info on this change here: https://mc.merill.net/message/MC862873

How do I know if my organization is ready?

What can you do to know if you're ready?
You would like to know if all your administrators are MFA enabled. To do so you can run these commands in PowerShell 7:

Install-Module MsIdentityTools -Scope CurrentUser

Connect-MgGraph -Scopes Directory.Read.All, AuditLog.Read.All, UserAuthenticationMethod.Read.All

Export-MsIdAzureMfaReport .\report.xlsx

Source: https://azuread.github.io/MSIdentityTools/commands/Export-MsIdAzureMfaReport/

It will give you a nice report in Excel, showing which accounts have and do not have MFA enabled.

What to do if some administrators do not have MFA enabled?

First, your a bit late to the party.
Second, act NOW!

You can find instructions from Microsoft on how to set this up using Conditional Access Policies here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa

It might be a good idea to set-up Phishing Resistant MFA directly, so you have the highest level of account security implemented instantly. A guide on how to this here > https://skotheimsvik.no/how-to-use-passkey-in-authenticator-a-tutorial

What happens with my Break Glass Accounts?

These accounts will also be required to have MFA set up.

Because these accounts are for emergency access - and not tied to a user - I do not advise to use the MS Authenticator App. Use a hardware token.

A guide on how to set this up here > https://ourcloudnetwork.com/best-practice-for-emergency-access-accounts-in-microsoft-entra/