Microsoft is enhancing its Multi-Factor Authentication (MFA) offerings by phasing out certain features, enforcing broader MFA use, and updating policy management to improve security and user experience. These changes emphasize the importance of strong authentication methods and prepare users for future passwordless solutions.
Multi-Factor Authentication (MFA) is a critical security layer that goes beyond just a password to verify your identity. It significantly reduces the risk of unauthorized access to your accounts. Microsoft has been a strong proponent of MFA, and while the core concept remains essential, they are making some strategic shifts to enhance security, streamline user experience, and consolidate their offerings.
The good news is, Microsoft is NOT retiring MFA. Instead, they are making some key changes to specific MFA methods and enforcing its use more broadly. IN this blog, we will highlight key changes and what they mean for you.
Deprecation of Legacy MFA and SSPR Policies
What’s Happening:
By September 30, 2025, the older, per-user MFA and self-service password reset (SSPR) policies will be forcefully deprecated. They will be replaced by the more unified and flexible “Authentication methods policies.”
What to Do:
If you are still managing MFA settings through the legacy per-user portal, it’s crucial to migrate to the new Authentication methods policies in the Microsoft Entra admin center. This provides a centralized and more secure way to manage which authentication methods are available to your users. Avoid using outdated settings like “remember MFA on trusted devices” or broad IP exclusions.
Retirement of Microsoft Authenticator’s Password Autofill Feature
What’s Happening:
- The password autofill and payment information storage features within the Microsoft Authenticator app are being phased out.
- You will no longer be able to add or import new passwords in the Authenticator App.
- Autofill functionality will be discontinued, and any payment information stored will be deleted from your device.
- Saved passwords will no longer be accessible in the Authenticator app, and any unsaved generated passwords will be permanently deleted.
What to do:
- Migrate to Microsoft Edge web browser: Microsoft is pushing users to utilize Microsoft Edge’s built-in password manager for autofill functionality. Your saved passwords (but not payment info) are already synced to your Microsoft account and can be accessed through Edge. You’ll need to set Edge as your default autofill provider on your mobile devices.
- Export Passwords: If you prefer a different password manager (e.g., LastPass, 1Password, Bitwarden, iCloud Keychain), you must export your saved passwords from the Authenticator app before August 1, 2025.
- Recreate Payment Info: Any payment information stored in Authenticator will be deleted. You’ll need to manually recreate this in your chosen autofill platform.
**Important Note: The core MFA functionality of the Authenticator app (generating codes, push notifications for sign-ins, and passkey support) will continue to work and remains a highly recommended MFA method.
Mandatory MFA Enforcement for Azure and Microsoft 365 Admin Centers
What’s Happening:
- Microsoft is enforcing mandatory MFA for sign-in attempts to various Azure and Microsoft 365 administrative portals and related tools. This is a security enhancement to protect critical administrative functions.
- MFA will be required for accounts signing into the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center for Create, Read, Update, or Delete (CRUD) operations. This will roll out gradually worldwide.
- MFA enforcement gradually begins for sign-in to the Microsoft 365 admin center.
- September 1, 2025: MFA enforcement will gradually begin for accounts signing into Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints for Create, Update, or Delete operations. Read operations won’t require MFA for these specific tools.
- Microsoft will begin enforcing MFA on all first-party enterprise applications.
What to Do:
Ensure all accounts that interact with these administrative portals or perform CRUD operations through the mentioned tools have MFA enabled. We strongly recommend using the Microsoft Authenticator app, FIDO2 security keys (passkeys), or certificate-based authentication as robust MFA methods.
Why These Changes Are Happening
These changes reflect Microsoft’s commitment to:
- Enhanced Security: Moving away from less secure methods (like phone call authentication, which was previously phased out) and enforcing MFA more broadly closes common security gaps.
- Streamlined Management: Consolidating password management into Edge and unifying MFA policies simplifies administration.
- Future-Proofing: Embracing passwordless solutions like passkeys (FIDO2) and strengthening authentication methods prepares for a more secure and convenient future.
What Do You Need to Know
- MFA is More Important Than Ever: These changes underscore Microsoft’s focus on strong authentication. MFA is no longer an option; it’s a necessity for protecting your data.
- Action is Required: While the core Authenticator app for MFA isn’t going away, specific features and certain administrative access points require immediate attention and adjustments.
- We Are Here to Help: This change won’t affect everyone. For users who do experience issues, the fix will be quick and easy; they simply need to contact our help desk.
These transitions can seem complex. We are here to guide you through the process, ensure a smooth transition, and help you understand how these updates impact your specific environment.
- Review your current MFA setup.
- Migrate saved passwords if you don’t want to use Microsoft Edge.
- Ensure your administrative accounts comply with the new mandatory MFA requirements.
- Transition from legacy MFA policies to the new Authentication methods policies
As we navigate these changes, it’s crucial to stay informed and proactive. The retirement of certain features, the enforcement of mandatory MFA for administrative accounts, and the transition to new authentication methods are all steps towards a more secure and streamlined digital environment.
Remember, MFA is not just an option; it’s a necessity. By reviewing your current MFA setup, migrating saved passwords, ensuring compliance with new requirements, and transitioning from legacy policies, you can safeguard your data and stay ahead of potential threats.
We are here to support you through these transitions, ensuring a smooth and secure journey. Stay vigilant, stay secure, and embrace the future of authentication with confidence.
If you need any further assistance or have any questions, feel free to contact us.
