Microsoft 365 & Azure Mandatory MFA: The 2026 Roadmap

Microsoft has been progressively enforcing multi-factor authentication (MFA) on Azure and Microsoft 365 admin portals since 2024. As of May 2026, Phase 1 (admin portals) is active across every tenant; Phase 2 (Azure CLI, PowerShell, REST API) started October 2025 and the final deferral ends 1 July 2026. Add the GA of Entra passkey on Windows on top and the same question lands in my inbox five times a month: “Our tenant still signs in without MFA — how long do we have, and what should we move to?”

This is a concrete 30-60-90 day migration plan for SMB and mid-market IT managers.

Microsoft’s mandatory MFA timeline

Phase	Scope	Started
Phase 1	Azure portal, Entra admin center, Intune admin center	October 2024 (rolled in waves)
Phase 1 (M365)	Microsoft 365 admin center	February 2025 (waves)
Phase 2	Azure CLI, PowerShell, mobile app, IaC, REST API, Azure SDK	1 October 2025 (deadline 1 July 2026 with deferral)

Practical meaning: if you have a Global Administrator who still signs into the Azure portal with a password, you are already blocked in most tenants. If you still aren’t, your tenant simply hasn’t been moved yet — it will be. The Phase 2 deferral can be requested through 1 July 2026 but is a delay, not a solution; the migration must happen.

Per-user MFA, Security Defaults, Conditional Access — which?

The most common confusion we see at clients:

• Security Defaults — Microsoft’s free “MFA in one click” switch. Entra ID Free is enough. Applies to all users, no exceptions. A reasonable starting point for small SMBs.
• Per-user MFA — the old model, user-by-user toggling. Hard to manage, poor reporting. Don’t use it — Microsoft recommends moving to Conditional Access.
• Conditional Access — requires Entra ID P1/P2 (included with Microsoft 365 Business Premium / E3 / E5). Lets you build detailed policies using signals like device compliance, location, risk score, session controls. For 30+ user organisations, this is the right choice.

Microsoft notes Conditional Access policies still honour exclusions, but as of 2026 even protected user lists are not exempt from Phase 2. Even break-glass accounts must use FIDO2 / Passkey or certificate-based auth.

Phishing-resistant MFA: why FIDO2 / passkey is the new floor

A six-digit SMS code or an Authenticator push lets you claim MFA — but the AiTM (Adversary-in-the-Middle) phishing kits that surfaced in 2024–2025 (EvilProxy, Tycoon 2FA) routinely bypass these. “Phishing-resistant MFA” essentially means two standards:

1. Passkey (FIDO2) — private key stays on the device, doesn’t work against a fake domain. Supported by Microsoft Authenticator (iOS/Android), Windows Hello, hardware keys (YubiKey, etc.).
2. Certificate-based authentication (CBA) — particularly relevant for public sector and finance using smart cards.

As of 2026, Microsoft has made Entra Passkey on Windows generally available; iOS/Android Authenticator has supported passkeys for some time. The question to ask now: do the MFA methods we’re enrolling actually resist AiTM phishing? SMS and voice = no, push = partial, passkey/FIDO2 = yes.

A 30-60-90 day plan

Days 1–30 — Foundation.

• Enable Security Defaults if not already; or build a Conditional Access “baseline MFA” policy.
• Push Microsoft Authenticator to every user via Intune.
• Identify break-glass accounts; switch them to FIDO2 / passkey.

Days 31–60 — Rollout.

• Pilot Conditional Access with admins, finance and IT.
• Add device-compliance signals (require Intune-enrolled compliant device).
• Enable risk-based sign-in (with Entra ID P2 if licensed).

Days 61–90 — Hardening.

• Block legacy authentication protocols.
• Make MFA registration interrupt + Combined Registration Experience mandatory.
• Enable passwordless sign-in via passkey; block password sign-in via Conditional Access for groups that have completed enrolment.

Frequently asked questions

Does Microsoft’s mandatory MFA apply to consumer accounts? No — this scope is admin portals and Azure/M365 administrative surfaces, not consumer @outlook.com accounts.

Do we still need to enforce MFA at the application layer separately? Conditional Access policies enforced at the Entra ID layer cover all federated applications. App-level MFA on top is redundant unless the app sits outside SSO.

Can we get the Phase 2 deferral through 1 July 2026 just by clicking a button? Yes — the deferral is opt-in through the Azure portal admin experience. It buys you time; it doesn’t change the destination.

What happens to service principals and managed identities? Service principals don’t sign in interactively — they’re not in scope for the user-MFA enforcement. But the rotating credentials and certificate-based auth practices around them should be reviewed in the same pass.

Bottom line

Mandatory MFA is the floor; phishing-resistant MFA is where the conversation actually lives in 2026. If your tenant already has Microsoft 365 Business Premium or higher, the licensing is in place and the rest is configuration discipline. To map your current MFA posture against the 2026 mandatory schedule, contact us for a free assessment.