Skip to main content

Enta Authentication Best Practice

Latest Updates

Microsoft Mandatory MFA Enforcement – Phase 2

Microsoft’s mandatory multifactor authentication (MFA) enforcement is entering Phase 2. Starting in April 2026 MFA will be automatically required for:

  • Azure portal
  • Microsoft Entra admin center
  • Azure CLI
  • Azure PowerShell
  • Azure mobile app
  • Infrastructure as Code (IaC) tools
  • REST API (Control Plane)
  • Azure SDKs

This is especially important for those that currently use service accounts without Multi Factor Authentication

Microsoft Authentication Recommendations

Microsoft’s recommended approach is to transition away from service accounts with passwords. Better options include:

Managed Identities and Workload Identities are recommended because they remove the need for storing passwords and eliminate the security risks associated with service accounts, such as static credentials, compromise or lack of MFA.

These identity solutions provide secure, automated authentication for applications and services, reducing operational overhead and improving security compared to traditional service accounts.

Example Authentication Best Practice Use Cases

Use case 1: You run PowerShell or other Scripts via a service account

Options:

  1. Migrate your script to an azure run book which uses a Managed Identity for authentication.

  2. Configure a CICD pipeline in GitHub actions with federation between your app reg and GitHub actions via OIDC.

Use case 2: You have a application that accesses Entra via GitHub Actions.

Options:

  1. Federation between your app reg and GitHub actions via OIDC

  2. Secret or Certificate for authentication (Whilst technically possible, this is no longer recommended).

Use case 3: You use a service account with a 3rd party tool like Sharegate.

Options:

We can see no viable way to continue to use these tools without human interaction to authenticate without Multi Factor Authentication