Microsoft is set to enforce Multi-Factor Authentication (MFA) on admin accounts accessing the Microsoft Entra Admin Center, Azure portal and Microsoft Intune Admin Center starting October 15, 2024.
This article will guide you through the steps to either postpone this enforcement or immediately implement MFA for your admin accounts.
When singing in the Microsoft Entra Admin Center or other admin portals with an admin account the notification below can be shown.
Select Manage multifactor authentication.
If you don’t receive the notification: Multifactor authentication required select the URL below.
Multifactor authentication – Microsoft Azure
If you receive the message below sign in with an account with Global Admin permissions.
If you don’t see the MFA message page but just the overview page of Azure, select the link below again.
Multifactor authentication – Microsoft Azure
Postpone enforcement date
I recommend not postponing the enforcement of MFA; it should be implemented without delay.
However, if you choose to postpone, follow the subsequent steps; if not, proceed to the ‘Enable MFA’ section.
If you encounter the error displayed in the screenshot above, you will not be able to postpone enforcement. To postpone enforcement, please follow these steps:
- Sign in to Azure Portal with the user having the Global Administrator role.
- Go to Azure Portal -> Microsoft Entra ID -> Properties -> Access Management for Azure resources -> Yes -> Save
Now go back to the Multifactor authentication notification:
Multifactor authentication – Microsoft Azure
The error that was shown below is now gone, select Postpone enforcement.
Now select Postpone.
The enforcement is now postponed until March 15, 2025
Enable MFA on admin accounts to Cloud admin centers
To activate Multi-Factor Authentication (MFA) for admin accounts with access to Cloud admin centers, the following steps should be taken:
Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Protection > Conditional Access, select + New policy, and then select Create new policy.
Enter a name for this Conditional Access policy.
In this example I will name it: MFA Microsoft Admin Portals and assign it to a dynamic group named: Cloud Admins.
Now select the target resource. In this example I want MFA to be enforced to Microsoft Admin Portals.
The admin portals are:
- Azure portal
- Exchange admin center
- Microsoft 365 admin center
- Microsoft 365 Defender portal
- Microsoft Entra admin center
- Microsoft Intune admin center
- Microsoft Purview compliance portal
- Microsoft Teams admin center
Now we select the access control: Grant.
We Grant access when the authentication strength Multifactor Authentication issued.
Set the Enable policy to: On. Then select: Create.
Let’s explore what a cloud administrator, belonging to the ‘Cloud Admins’ group, will observe upon signing into the Intune portal.
After entering the password the MFA prompt will appear or you have to set up the MFA for the first time.
Conclusion:
Multi-factor authentication is now in place for cloud administrators belonging to the ‘Cloud Admins’ group when accessing the designated portals:
- Azure portal
- Exchange admin center
- Microsoft 365 admin center
- Microsoft 365 Defender portal
- Microsoft Entra admin center
- Microsoft Intune admin center
- Microsoft Purview compliance portal
- Microsoft Teams admin center
Additional details on MFA implementation and admin portals are available in the articles below:
Cloud apps, actions, and authentication context in Conditional Access policy – Microsoft Entra ID | Microsoft Learn
Mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn