Mandatory MFA for Microsoft 365 Admin Center Connections from February 3, 2025

After their communications triumph around the announcement of the imposition of an MFA requirement to sign into Azure administrative endpoints like the Entra admin center earlier this year, Microsoft is moving to its next target. According to a Microsoft Technical Community post of November 11, 2024, they will roll out the requirement for connections to the Microsoft 365 admin center to pass a mandatory multifactor challenge beginning on February 3, 2025.

Rolling out a change like this to hundreds of thousands of Microsoft 365 tenants can’t be done overnight. Microsoft says that tenant administrators will receive notification 30 days before the restriction commences.

The last time round, people panicked when they assumed that all connections to Azure, including those from non-privileged user accounts, would need to use MFA. However, the set of affected endpoints featured sites that few “normal users” go near simply because they have no need to connect to administrative portals like the Intune admin center or PowerShell modules like Azure.

The same rules apply here. Only accounts holding administrative roles that need to connect to the Microsoft 365 admin center are affected. There’s probably a broader set of roles involved, and the new restriction means that staff like help desk personnel might be required to use MFA for the first time. But here’s the thing: anyone accessing the Microsoft 365 admin center to perform administrative tasks for a tenant should already be using MFA. Those who don’t are inviting compromise of their accounts by attackers that leads to potential compromise of the entire tenant depending on the roles held by the account.

Figuring Out Who Might be Affected by the Mandatory MFA Requirement

If you have Entra P1 licenses, you can use PowerShell to analyze Entra Audit sign-in logs to determine the set of accounts that use MFA. Audit logs only go back 30 days, but it’s enough to have a good idea. Alternatively, you could use PowerShell to interrogate the sign-in logs to find successful connections to the app used by the Microsoft 365 admin center (the app name reveals its roots), reduce the set to find unique user accounts, and check each user account to validate if it uses MFA. In this example, I use the Get-MgServicePrincipal cmdlet to find the identifier of the app. You could also scan the sign-in logs in the Entra admin center to find a record for a connection to the Microsoft 365 admin center. The beta version of the Get-MgAuditLogSignIn cmdlet is used to fetch sign-in records because it returns information about authentication requirements. Here’s some code to do the job (available from GitHub):

Connect-MgGraph -Scope AuditLogs.Read.All
$M365AdminCenterId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Office 365 Portal'").AppId
Write-Host "Checking for sign-ins to the Microsoft 365 Admin center..."
[array]$M365PortalSignIns = Get-MgBetaAuditLogSignIn -Filter "AppId eq '$M365AdminCenterId' and status/ErrorCode eq 0" -All -PageSize 500
[array]$UniqueUsers = $M365PortalSignIns | Sort-Object UserPrincipalName -Unique
$Report = [System.Collections.Generic.List[Object]]::new()

ForEach ($User in $UniqueUsers) {
    $MFA = "Not enabled"
    If ($User.authenticationRequirement -eq 'multifactorauthentication') {
        $MFA = "Enabled"
    }
    $ReportLine = [PSCustomObject] @{ 
        User                = $User.UserDisplayName
        'MFA Status'        = $MFA
        'Last sign-in'      = $User.createdDateTime
    }
    $Report.Add($ReportLine)
}

$Report

User                                    MFA Status  Last sign-in
----                                    ----------  ------------
Hans Geering (Project Management)       Enabled     09/11/2024 20:50:47
Ken Bowers                              Enabled     16/11/2024 13:20:40
Lotte Vetler (Paris)                    Enabled     15/11/2024 13:23:06
Paul Robichaux (Office 365 for IT Pros) Not enabled 29/10/2024 19:46:04
Tony Redmond                            Enabled     03/11/2024 15:30:24

Another approach is in the user passwords and authentication report script, which generates a comprehensive report about user accounts, passwords, sign-ins, and registered MFA methods. You can check this report to make sure that the users detected using the Microsoft 365 admin center have suitable MFA methods registered.

Another helpful script generates a report about accounts holding administrative role assignments. You can use the information in the report (and the CSV file generated by the script) to focus on the accounts that will be affected by the new mandatory MFA requirement. For example, accounts holding the user administrator role (Figure 1) will need to satisfy the mandatory MFA requirement to connect to the Microsoft 365 admin center after Microsoft deploys the change to your tenant.

Essentially, PowerShell is your friend when it comes to finding out who uses MFA in a tenant.

The Ongoing Need to Accelerate the Adoption of MFA

According to a Microsoft research report, MFA reduces the risk of account compromise by 99.22% across all accounts and by 98.56% for leaked account credentials (usernames and passwords). The last figures shared by Microsoft said that only 38% of Entra ID monthly active users use MFA (February 2024). Microsoft is on a campaign to get that number to at least 80% and enforcing mandatory requirements for MFA to connect to different sites is a good way to drive that message home.

One thing’s for sure. Microsoft is not going to stop imposing mandatory MFA requirements to connect to Microsoft 365. I expect the campaign to continue and spread to user-focused applications like Teams and Outlook. Quite when that will happen is anyone’s guess, but the important thing is to get ahead of the game by accelerating the adoption of MFA to protect Microsoft 365 user accounts, preferably using strong authentication methods like the Microsoft Authenticator app, FIDO2 keys, or software passkeys.

Another Big Change Coming in February 2025

Another big thing that will happen in February 2025 is the deprecation of the ApplicationImpersonation role in Exchange Online. This might not seem important to you, but it might be. Many bespoke and third-party tools use this role with Exchange Web Services (EWS) to access mailboxes. If you don’t check now, you might have an unpleasant surprise early in 2025. The Microsoft post references some tools to help check a tenant. It’s worth taking the time to do so.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.