MFA enforcement extension to September 2025

Question

I am requesting an extension for the MFA enforcement to September 2025 to give us time to put all our practices in place.. How do I make this request?

Answer 1

Hi,

The ability to postpone enforcement until September 30, 2025 is supposed to be available starting in the second half of this month. Please see article below which has instructions as well as link to portal page to postpone.

Request more time to prepare for enforcement

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#request-more-time-to-prepare-for-enforcement

Excerpt:

We understand that some customers may need more time to prepare for this MFA requirement. Microsoft is allowing customers with complex environments or technical barriers to postpone the enforcement for their tenants until September 30, 2025.

Starting in 2nd half of February 2025, Global Administrators can go to the Azure portal to select the start date of enforcement for their tenant for admin portals in Phase 1. Global Administrators must elevate access before they can postpone the start date of MFA enforcement.

Global Administrators must perform this action for every tenant where they want to postpone the start date of enforcement.

By postponing the start date of enforcement, you take extra risk because accounts that access Microsoft services like the Azure portal are highly valuable targets for threat actors. We recommend all tenants set up MFA now to secure cloud resources.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 2

Hello @Jo Horn,

Thank you for your response.

As per the recent update on this, the date picker for portal MFA enforcement is currently rolling out and it is going to roll out completely to all tenants by 2/24/2025. 

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#request-more-time-to-prepare-for-enforcement

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Answer 3

Hi,

Looking at your screenshot, you can now postpone MFA enforcement to a later date.

To get around the MFA requirement, what you can do is enable MFA for one new account. This will leave all of the other users as they are now. Instructions below:

1. Create new Global Administrator account—in Azure portal, navigate to Microsoft Entra ID -- Manage -- Users blade, then click New user - Create new user. Create new user named postponemfa or similar, and assign Global Administrator role to it, making note of temporary password.

2. Enable Per-User MFA on new account (only)—in Azure portal, navigate to Microsoft Entra ID -- Manage -- Users blade, then click Per-User MFA. Find the user you just created, select it, and click Enable MFA

3. Configure MFA on new account—open a separate browser session by [Chrome] clicking on person icon in upper right corner and clicking Open Guest profile or [Edge] clicking on person icon in upper left corner and clicking Other profiles --> Browse as guest

Sign-in to Azure portal in Guest browser session using the new account and follow instructions to configure MFA. You could add this new account to Microsoft Authenticator on your phone if you want.

4. Elevate access on new account—still using Guest browser session, in Azure portal, navigate to Microsoft Entra ID -- Manage -- Properties blade scroll down to Access management for Azure resources and change it to Yes for this new account, Save, then sign out and sign back in for the change to take effect

5. Postpone MFA enforcement date—still using Guest browser session, navigate to postpone MFA enforcement. Since you used MFA to sign-in, it should now allow you to postpone to later date.

Completing the above steps should take about 10 minutes. If you are unsure about how to perform one of the steps add a comment below and I will assist.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP