Why is Microsoft forcing Azure tenants to enable MFA?

Andrew Robinson 0 Reputation points
2024-09-13T16:59:17.58+00:00

34-year information security and risk management professional here. I recently received a notice that I must "enable MFA by 15 October 2024" (which is weird since my Azure account is already using MFA). This is another example of "MFA mania" in which cloud providers and other IT service providers are forcing customers to use MFA.

MFA is great, but it is not a "best practice" and offers few benefits for many if not most tenants and use cases. Its primary purpose is to insulate the VENDOR (Microsoft in this case) from potential liability, and its primary EFFECT is to transfer those temporal and monetary costs to tenants. It is NOT "for your safety."

MFA is indeed "more secure" than fixed secret (password) authentication, but NOT necessarily "less risky." The question of whether the total risk of MFA (which includes both its positive AND negative effects on tenants) is worth enabling it is the TENANT'S decision, not Microsoft's.

Negative effects (risks and realized losses) include any monetary cost associated with the MFA method, but more importantly the resulting productivity loss associated with MFA. MFA takes more time than password authentication in the general case. This may be a few seconds for a successful authentication, but in cases where the hard or soft token is inaccessible, may result in minutes or hours of lost productivity. The contingent recovery process may be as trivial as a password reset using an email address (in which case control of the email address is the only actual authentication factor), or it may require human intervention (in which case significant productivity losses are guaranteed).

If Microsoft wants to enhance security and reduce risk, rather than simply to impose non-existent "best practices" on tenants, then it can require 16+ character passwords WITHOUT "password complexity" (which actually reduces the strength of passwords). Such a change would have a linear effect on productivity, and would incur no monetary, temporal, or procedural costs on tenants whose risk assessment does not support MFA.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,433 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. James Hamil 24,386 Reputation points Microsoft Employee
    2024-09-18T19:36:37.75+00:00

    Hi @Andrew Robinson , this is our justification/reasoning: https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/ :

    • Protect identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection (for example, hardware security module (HSM) and confidential compute).
    • Strengthen identity standards and drive their adoption through use of standard SDKs across 100% of applications.
    • Ensure 100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication.
    • Ensure 100% of applications are protected with system-managed credentials (for example, Managed Identity and Managed Certificates).
    • Ensure 100% of identity tokens are protected with stateful and durable validation.
    • Adopt more fine-grained partitioning of identity signing keys and platform keys.
    • Ensure identity and public key infrastructure (PKI) systems are ready for a post-quantum cryptography world.

    You bring up valid points, and our public response doesn't cover everything you mentioned. I would submit feedback here about this.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.