Microsoft: Admins have 90 days to opt out before MFA is deployed automatically

Microsoft is introducing three Conditional Access policies for system admins as it continues to promote the implementation of multi-factor authentication (MFA) in organizations. The trio of optional policies will be automatically deployed to eligible customers' tenants in a report-only mode at first. Customers will have a 90-day window in which to review and if necessary opt out of them, otherwise they will be automatically enabled after this time.

Of the three options, Microsoft is pushing the first one the strongest, which will apply to Entra ID Premium Plans 1 and 2. It mandates privileged admin accounts to complete MFA when accessing Microsoft admin portals such as Azure, Microsoft 365 admin center, and Exchange admin center.

The other two policies apply to a smaller subset of customers. For those running the legacy per-user implementation of MFA, logins to cloud apps will require MFA across the board.

These policies represent the latest step taken by Microsoft to increase MFA uptake to an idealistic 100 percent of all customers. Currently, just 37% utilize MFA but the proportion of newer tenants adopting it is considerably higher.

For more information, visit Microsoft, or take a look at this article from The Register.