Microsoft is taking steps to enhance the security of its cloud services by introducing Conditional Access policies that will require multifactor authentication (MFA) for certain scenarios. MFA is a method of verifying a user’s identity by asking for more than one piece of evidence, such as a password and a code sent to a phone or email.

The new policies will apply to administrators who sign into Microsoft admin portals, such as Microsoft Entra, Microsoft 365, Exchange, and Azure. These portals allow administrators to manage various aspects of their organization’s cloud environment, such as users, devices, applications, and subscriptions. By requiring MFA from administrators, Microsoft aims to prevent unauthorized access and protect sensitive data and resources.

The new policies will also apply to per-user MFA users and high-risk sign-ins. Per-user MFA users are those who have been enabled for MFA by their administrators, either individually or through a group. High-risk sign-ins are those that are detected as anomalous or suspicious by Microsoft’s risk-based engine, which analyzes factors such as location, device, and network. By requiring MFA for these scenarios, Microsoft aims to reduce the likelihood of compromised accounts and credentials.

The new policies will be created by Microsoft on customers’ tenants, which are the dedicated instances of Microsoft cloud services that customers subscribe to. The policies will be added in report-only mode, which means that they will not be enforced, but will generate reports on how they would affect the users and sign-ins. The policies will be rolled out gradually to eligible Microsoft Entra tenants starting next week. Administrators will have 90 days to review the policies and decide if they want to enable them or not. If they do not take any action, the policies will remain in report-only mode.