Microsoft is taking another step in its aggressive campaign to get enterprises to adopt multifactor authentication (MFA) by rolling out Conditional Access policies requiring the tool for system administrator access into Entra and other cloud environments.

The vendor, which in the long run is hoping to eventually do away with all passwords for authentication and instead move to other access security options like passkeys, said this week that it automatically deploy three such policies to customers’ tenants and system admins will have 90 days to review them and opt out if they want.

If they don’t opt out, the policies will be automatically enabled.

“Microsoft-managed Conditional Access policies provide clear, self-deploying guidance,” wrote Alex Weinert, vice president of identity security at Microsoft. “Customers can tune the policies (or disable them altogether), so even the largest, most sophisticated organizations can benefit from them. Over time, we’ll offer policies tailored to specific organizations, but we’re starting simple.”

Reducing the Harm

Weinert wrote that he is hoping such policies will have the same effect on cloud services security that requiring car manufacturers to install seatbelts had in the 1960s: eliminating or reducing the harm when accidents – or in this case, when cyberthreats – occur.

“This approach [in automobiles] – of making a secure posture easy to get into and hard to get out of – is sometimes called the ‘pit of success,’” he wrote, noting that when Microsoft made MFA the default for customers accounts in 2013 and for enterprise accounts six years later, “account compromise plummeted as multifactor authentication usage went up.”

Microsoft has been disappointed with past attempts that looked to enterprises to voluntarily adopt MFA, Weinert wrote. It wasn’t until 2019 when the company introduced MFA as a default to new tenants that adoption began to grow, and then again in 2022 when it was introduced as a default to existing users.

Now MFA utilization is more than 37% and the vendor hopes the new Conditional Access policies grow that. The new policies initially will be automatically deployed in a report-only fashion, meaning the policy results will be logged but not enforced.

The process will start next week, but Microsoft will alert organizations before the policies are deployed. Once the policies pop up in the tenant, the 90-day countdown to decide whether to review, customize, or disable them begins.

Microsoft will automatically enable the policies on tenants that haven’t turned them off.

Three Policies

The first of the three policies will require MFA for administrators signing into portals for services like Azure, Microsoft 365, and Exchange.

Another policy requires MFA for all cloud applications for organizations that are using an existing per-user MFA policy, which Weinert wrote will help companies transition to Conditional Access.

There also is a Conditional Policy for organizations on the Entra (formerly Azure Active Directory) ID Premium Plan 2.

“This policy covers all users and requires multifactor authentication and reauthentication during high-risk sign-ins,” he wrote.

Weinert advised organizations to “pay lots of attention to the first policy. It’s our strong recommendation – and a policy we’ll deploy your behalf.”

He also cautioned that, even if they opt out of the policies, the trend at Microsoft is toward requiring MFA for specific interactions, as is already done for some Azure subscription management situations, Partner Center, and enrolling devices into Intune.

A Goal of 100%

The vendor’s aim is to reach 100% MFA throughout its portfolio, Weinert wrote. He pointed to a Microsoft study that showed that using MFA use in commercial accounts reduces the risk of account takeover attempts by bad actors by more than 99%. The technology also reduces the risk of compromise across the entire population by 99.22% and 98.56% when credentials have been leaked.

The MFA market is booming and is expected to grow rom $16.4 billion this year to $26.7 billion in 2027 as organizations continue to support it. Cloud giant Amazon Web Services last month said it will require MFA for more users next year.

However, cybercriminals are finding more ways to bypass MFA protections to compromise systems, such as through MFA fatigue. U.S. government agencies are pushing tech vendors and developers to make their MFA technologies easier for users to deploy to reduce the number of incidents of phishing and other cyberthreats.

That said, Weinert wrote that organizations need to adopt modern authentication policies.

“In a world where digital identity protects virtually every digital and physical assets and makes virtually all online experiences possible – and in a year when we’ve blocked more than 4,000 password attacks per second – we need to do more to drive multifactor authentication adoption,” he wrote. “And so now, we’re kicking off the next radical idea.”