Microsoft Finally Enforces MFA on Azure: Why This Should Have Happened Years Ago

Microsoft’s announcement that multi-factor authentication (MFA) is now mandatory for all Azure portal sign-ins is welcome news but it’s also long overdue. For years, organizations have trusted their Cloud and SaaS providers to build in security by default, and that trust has often been misplaced. Credential theft remains the leading cause of breaches, yet the responsibility for enabling basic protections like MFA has been left to individual customers.

The truth is simple! We can’t outsource accountability for security to vendors and partners. Cloud and SaaS platforms are powerful enablers of business, but their default configurations often leave gaping holes. When a platform as critical as Azure only enforces MFA in 2025, it underscores the need for companies to take ownership of their security posture rather than relying on providers to act in their best interest.

Cloud and SaaS Configuration Controls: More Than MFA

Executives and boards must recognize that MFA is the baseline, not the finish line. Industry frameworks provide clear guidance:

• NIST CSF 2.0 – Protect (PR.AC-1): Identities are verified and authenticated commensurate with risk.

• CIS Controls v8 – Control 6.3: Require MFA for all administrative access.

• MITRE ATT&CK – Techniques like T1078 (Valid Accounts) and T1110 (Brute Force) highlight how attackers exploit weak authentication.

Leading organizations go beyond 2-factor and adopt three factors (something you know, something you have, something you are), plus force MFA challenges on every privileged authentication. This is especially critical for administrative accounts that manage cloud environments.

Critical Microsoft Azure Configurations Executives Should Know

MFA is only one piece of the cloud security puzzle. Boards should ensure management teams are enforcing additional non-negotiable Azure configurations, including:

• Restricting asset movement – Prevent workloads from being moved to another Azure environment without multi-level approval.

• Conditional access policies – Require risk-based, adaptive access rules (location, device, behavior).

• Privileged Identity Management (PIM) – Enforce just-in-time access for administrators, with approval workflows.

• Logging & monitoring – Centralize logs with immutable retention to detect abnormal activity.

• Segregation of duties – Separate cloud administration from security oversight to reduce insider risk.

These are not “nice to have” technical controls but are business resilience imperatives. A misconfigured cloud environment can create systemic risk across the enterprise.

The Armes Vantage Point

The reality is clear that Cloud and SaaS providers are not doing enough to protect customers. Enforcing MFA today doesn’t undo years of exposure and it doesn’t solve the broader trust gap between vendors and customers. What’s needed is an open trust framework, where providers build controls with customer security in mind from day one with customers bring in qualified leaders and practitioners to validate and enforce those controls.

At Armes Vantage, we help boards and executives cut through the complexity of Cloud and SaaS security. As your virtual CISO, we align your organization with frameworks like NIST CSF, MITRE ATT&CK, and CIS Controls and we work alongside your IT teams to implement the policies and controls that truly matter.