Defending the premises
“Service principals, managed identities, workload identities, and similar token-based accounts used for automation are excluded,” according to Shahid. “Microsoft is still gathering customer input for certain scenarios such as break-glass accounts and other special recovery processes.”Â
“Students, guest users and other end-users will only be affected if they are signing into Azure portal, CLI, PowerShell or Terraform to administer Azure resources. This enforcement policy does not extend to apps, websites or services hosted on Azure. The authentication policy for those will still be controlled by the app, website or service owners.”
In just over a month, Microsoft will start enforcing multi-factor authentication (MFA) for all Azure administrators.
The news was confirmed in a blog post published late last week, (via BleepingComputer), with Principal Product Manager for Microsoft Azure, Naj Shahid, on hand to address customer concerns.
According to the update, the rollout will start in July, and will first be available to Azure admins. After that, similar rollouts will happen for CLI, PowerShell, and Terraform. Users will be notified beforehand via email.
MFA adds a second authentication layer, besides the password, to high-value accounts. It generally comes in the form of a time-based code that is generated by a MFA tool, such as an authenticator app, or a physical token.Â
These days, MFA is considered an industry standard in terms of cybersecurity and comes highly recommended for customers, as it successfully repels a vast majority of cyberattacks, and makes phishing for passwords extremely difficult.
Some phishing kits allow threat actors to steal multi-factor authentication codes, too, but the process is a lot more cumbersome, and hackers are a lot easier to oust, compared to accounts without MFA.
