Password spray attacks on accounts have increased rapidly in recent months. As a result, the security risks for accounts that do not use MFA for authentication have increased significantly. Microsoft works in the past on different ways to enable MFA for all users they work with Azure and Microsoft 365. One first try was the activation of security defaults, but this can be deactivated by user.

Based on this development and for other reason Microsoft announced the enforcement for Mutlifactor authentication for all sign-in/access to the Azure Portal. This announcement was a little suprise and bringe some challenges to organization espesically when we take a look at service principals and break glass accounts. Don´t get me wrong, it is mandatory to enable MFA for all users they access your tenant and have a valid and regulary reviewed Conditional Access policy in place. But for some special accounts this was not the focus or recommended. In this article I will explain how Microsoft rollouts this enforcement which steps you have to proof and how you can ensure that you are not affected or prepared for the upcoming changes.