Hi @Andrew Robinson , this is our justification/reasoning: https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/ :
- Protect identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection (for example, hardware security module (HSM) and confidential compute).
- Strengthen identity standards and drive their adoption through use of standard SDKs across 100% of applications.
- Ensure 100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication.
- Ensure 100% of applications are protected with system-managed credentials (for example, Managed Identity and Managed Certificates).
- Ensure 100% of identity tokens are protected with stateful and durable validation.
- Adopt more fine-grained partitioning of identity signing keys and platform keys.
- Ensure identity and public key infrastructure (PKI) systems are ready for a post-quantum cryptography world.
You bring up valid points, and our public response doesn't cover everything you mentioned. I would submit feedback here about this.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James