Microsoft says it will improve security among Entra tenants where default security settings are enabled by making multi-factor authentication (MFA) registration mandatory.

This approach is part of the business Secure Future Initiativelaunched in November 2023, to strengthen cybersecurity protection across all of its products.

“We are removing the option to skip multi-factor authentication (MFA) registration for 14 days when default security settings are enabled. This means that all users will need to register for multi-factor authentication when of their first connection once the default security settings are enabled.” said Microsoft’s Nitika Gupta on Wednesday.

“This will help reduce the risk of account compromise during the 14-day period, as MFA can block over 99.2% of identity-based attacks. »

This change will affect all newly created tenants from December 2, 2024 and will begin rolling out to existing tenants from January 2025.

Microsoft Entra Default Security Settings is a setting that automatically enables various security features to protect organizations against common attacks, such as password spraying, replay, and phishing.

As of October 22, 2019, new tenants have automatically enabled security settings by default, and older tenants have had them automatically enabled over time if they are not using Conditional Access, are not licensed premium or use existing authentication clients.

To enable security defaults, you must log in to the Microsoft Entra admin center (at least as a security administrator), navigate to Identity > Overview > Properties, and select Manage security defaults. From there, set “Default Security Settings” to On and click Save.

Administrators not using Conditional Access are advised to enable default security settings for their organization, as they provide a simple and effective way to protect users and resources from common threats.

However, while default security settings provide a good foundation of security, they do not allow for the customization provided by conditional access policies that complex organizations need.

In August, Microsoft also notified global administrators of Entra to activate MFA for their tenants until October 15 to ensure that users do not lose access to admin portals. By enforcing mandatory MFA for all Azure sign-in attempts, Microsoft aims to protect Azure accounts from hacking and phishing attempts.

The company also announced in November that it would deploy conditional access policies requiring multi-factor authentication for all administrators logging into Microsoft admin portals (e.g. Entra, Microsoft 365, Exchange and Azure), for users of all cloud applications and high-risk connections.

In January, Microsoft-owned GitHub also started to apply two-factor authentication (2FA) for all active developers as part of the company’s ongoing efforts to drive AMF adoption.