As a cloud architect I frequently observe that security changes which initially appear to be a "minor detail" end up causing the biggest complications when organisations are not prepared in time.

One such change is the Multi-Factor Authentication (MFA) Phase 2 enforcement, which takes effect from October 1, 2025 — and applies not only to portal users but also to scripts, automations, and infrastructure management tools.

What Phase 2 Is and What Changes It Brings

  • Phase 1 (already underway): MFA mandatory for signing in to the Azure portal, Microsoft Entra admin center, and Intune admin center.
  • Phase 2 (from October 1, 2025): MFA will also be required for Azure CLI, PowerShell, the mobile app, IaC tools, and the REST API for Create/Update/Delete operations.

Microsoft also recommends stopping the use of user accounts as service accounts and migrating to workload identities or managed identities.

Who and What Will Be Affected

  • DevOps scripts using Azure CLI / PowerShell
  • IaC tools (Terraform, Bicep, ARM template scripts)
  • Custom applications calling the REST API for Azure management
  • Automations running under regular user accounts

Recommended Steps: What to Do Now

  1. Inventory all scripts, automations, and service accounts — Identify every part of the infrastructure where login without MFA is used.
  2. Migrate to workload identities / managed identities — Replace user accounts with more secure entities that do not require MFA.
  3. Update tools — Azure CLI version 2.76 or higher, PowerShell version 14.3 or higher.
  4. Test in non-production environments — Simulate operations with MFA enabled.
  5. Request an extension if needed — Microsoft allows postponement of enforcement until July 1, 2026.
  6. Training and communication — Inform developers, operations teams, and users.

Conclusion

The Phase 2 MFA enforcement is a step through which Microsoft clearly signals that access to infrastructure tools will be more strictly protected. If you start now with identifying weak points and testing changes, you can navigate the transition without outages.