Following a couple of announcements from the Azure team at Microsoft, regarding the enforcement of MFA across Azure management resources, it is imperative that, even if you think you are covered, you assess your environment to understand the potential impact of this change.
On May 14th, Microsoft released an ambiguous article that caused a stir in the community. It simply stated that MFA would be enforced across all users administering Azure in different capacities. Since then, more clarification has been released to help guide users from being caught out with these large-scale changes.
Read on for key information about what is changing and to learn how you can assess the impact of MFA enforcement on your tenant.
Key dates for MFA enforcement in Azure
The Azure team has highlighted some key dates:
- On October 15th MFA enforcement for all customers will begin for the Azure Portal, Entra Portal and Intune Portal.
- Starting Early 2025 MFA enforcement for all customers will begin for all other scenarios such as the Azure CLI, Azure PowerShell and IAC tools.
Key info for MFA enforcement in Azure
- This will only impact users signing into the Azure Portal, Azure CLI and IAC Tools. It will not impact users signing into services built on Azure.
- This will include all user types.
- Enforcement of MFA will be handled by Azure and not by Conditional Access policies.
- If you already have Security Defaults enabled, then there will be no impact on your user experience.
- All supported MFA methods are available for you to use, including external authentication methods.
- An exemption process for emergency access (break-glass account) will be made available and communicated to tenant administrators in mid-August 2024. Exemptions will be time-bound!
MFA will be enforced via the following App IDs in Microsoft Entra:
Application Name | App ID | Enforcement phase |
---|---|---|
Azure portal | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Second half of 2024 |
Microsoft Entra admin center | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Second half of 2024 |
Microsoft Intune admin center | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Second half of 2024 |
Azure command-line interface (Azure CLI) | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Early 2025 |
Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | Early 2025 |
Azure mobile app | 0c1307d4-29d6-4389-a11c-5cbe7f65d7fa | Early 2025 |
Infrastructure as Code (IaC) tools | Use Azure CLI or Azure PowerShell IDs | Early 2025 |
Understanding the MFA assessment
To assess your environment, you are going to use the latest version of the MSIdentityTools which was recently updated by Merill Fernando. The additional function within this PowerShell module will scrape through the Azure Sign-in logs and extract a list of users who have generated events against the Azure application ID highlighted above. It will then loop through each user found and report on the registered authentication methods on the account. If no authentication methods are registered, this is highlighted on the report and each user will be deemed as impact by the change.
To add some perspective to what is happening with the tool, it will first use the following graph query and filter to obtain all logs about the app ids above.
(appid eq ‘c44b4083-3bb0-49c1-b47d-974e53cbdf3c’ or appid eq ’04b07795-8ddb-461a-bbee-02f9e1bf7b46′ or appid eq ‘1950a258-227b-4e31-a9cf-717495945fc2’) and status/errorcode eq 0 and createdDateTime ge 2024-05-
15T00:00:00Z
This query can be run manually and exported to grid view by using the following code example:
Connect-MgGraph -Scopes AuditLog.Read.All
$date = $(get-date).AddDays(-30).ToString("yyyy-MM-dd")
$select = "userId,userPrincipalName,userDisplayName,appId,createdDateTime,authenticationRequirement"
$uri = "/beta/auditLogs/signIns?`$select&'$filter=(appid eq 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c' or appid eq '04b07795-8ddb-461a-bbee-02f9e1bf7b46' or appid eq '1950a258-227b-4e31-a9cf-717495945fc2') and status/errorcode eq 0 and createdDateTime ge $date"
$report = Invoke-MgGraphRequest -Method GET -Uri $uri -OutputType PSObject | Select -ExpandProperty Value
$report | Out-GridView
There are some caveats to the above example, like paging and page size, but fundamentally it serves to understand how the assessment is done.
The next stage is to obtain a unique list of names from this output. A simple way of doing this is to use the select-object -unique parameter. I call this, normalising the report, although terminology not entirely accurate.
$Normalised = $report | Sort-Object -Property userPrincipalName -Unique
$Normalised | Out-GridView
The last step is to loop through each user to obtain the registered MFA methods. I demonstrate a similar concept in my blog post Export All Microsoft 365 Users MFA Status with PowerShell. For this, I will create a simple loop, like so:
#Auth methods summary from the MSIdentityTools module
$authMethods = @(
@{
ReportType = 'passKeyDeviceBoundAuthenticator'
Type = $null
DisplayName = 'Passkey (Microsoft Authenticator)'
IsMfa = $true
},
@{
ReportType = 'passKeyDeviceBound'
Type = '#microsoft.graph.fido2AuthenticationMethod'
DisplayName = "Passkey (other device-bound)"
IsMfa = $true
},
@{
ReportType = 'email'
Type = '#microsoft.graph.emailAuthenticationMethod'
DisplayName = 'Email'
IsMfa = $false
},
@{
ReportType = 'microsoftAuthenticatorPush'
Type = '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
DisplayName = 'Microsoft Authenticator'
IsMfa = $true
},
@{
ReportType = 'mobilePhone'
Type = '#microsoft.graph.phoneAuthenticationMethod'
DisplayName = 'Phone'
IsMfa = $true
},
@{
ReportType = 'softwareOneTimePasscode'
Type = '#microsoft.graph.softwareOathAuthenticationMethod'
DisplayName = 'Authenticator app (TOTP)'
IsMfa = $true
},
@{
ReportType = $null
Type = '#microsoft.graph.temporaryAccessPassAuthenticationMethod'
DisplayName = 'Temporary Access Pass'
IsMfa = $false
},
@{
ReportType = 'windowsHelloForBusiness'
Type = '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod'
DisplayName = 'Windows Hello for Business'
IsMfa = $true
},
@{
ReportType = $null
Type = '#microsoft.graph.passwordAuthenticationMethod'
DisplayName = 'Password'
IsMfa = $false
},
@{
ReportType = $null
Type = '#microsoft.graph.platformCredentialAuthenticationMethod'
DisplayName = 'Platform Credential for MacOS'
IsMfa = $true
},
@{
ReportType = 'microsoftAuthenticatorPasswordless'
Type = '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod'
DisplayName = 'Microsoft Authenticator'
IsMfa = $true
}
)
Foreach ($user in $Normalised){
$UserUri = "/v1.0/users/$($user.UserId)/authentication/methods"
$UserAuthMethods = (Invoke-MgGraphRequest -Method GET -Uri $UserUri -OutputType PSObject | Select -ExpandProperty Value) | Select '@odata.type'
$UserAuthMethods
$UserMFAauthMethods = @()
Foreach ($method in $UserAuthMethods){
$value = $AuthMethods | Where {$_.Type -match $($method.'@odata.type')}
If ($value.IsMfa -eq "True"){
$UserMFAauthMethods += $value.DisplayName
}
}
$obj = [PSCustomObject][Ordered]@{
"Member" = $user.userPrincipalName
"MFA Ready" = if(!$UserMFAauthMethods){"Not Ready"}else{"ready"}
"MFA Methods registered" = $UserMFAauthMethods -join ", "
}
$Assessment.Add($obj)
}
$Assessment | Out-GridView
Once this last code piece has run, you will be left with a report that looks similar to the following:
Running the MFA assessment
Practically speaking, you want to make the process as simple as possible. For this, you should install the MSIdentityTools PowerShell module, this utilises some of the above code examples I shared above. To install the module, run the following command in PowerShell 7.
Install-module MsIdentityTools -Scope CurrentUser -Force
You can check you are on the latest version by visiting the PowerShell gallery page for MSIdentityTools.
Once the module is installed, start by connecting to Microsoft Graph using the following command. You will be prompted to provide admin consent to the request permissions.
Connect-MgGraph -Scopes AuditLog.Read.All, Directory.Read.All, UserAuthenticationMethod.Read.All
To produce the report, run the below command and a detailed Excel report will be saved to the location you specify.
Export-MsIdAzureMfaReport -ExcelWorkbookPath .\report.xlsx -Days 30
You can use this information to target improvements for user accounts which are likely to be impacted. Notice from the report above that user Bill Gates has signed in with MFA but the Authentication Methods column is empty. This is because the user is configured with External Authentication Methods using Duo. EAM is currently in preview and the reporting information is now yet available in the Graph API. For more information on EAM, check out:
I dropped a note to Merill, but it would be nice if he could provide a switch in his assessment too to include/exclude apps so this can be re-used for CLI and AZ PS after portals have been blocked.