Microsoft is shifting its security posture from persuasion to enforcement. Starting February 9, 2026, all users signing into the Microsoft 365 Admin Center will be required to complete multi-factor authentication (MFA) to access any administrative functions.
Why is this happening now?
Identity-based attacks are at an all-time high, with over 300 million daily credential-stuffing attempts recorded globally. Since the Admin Center controls everything from user provisioning to security policies, it is the most sensitive surface in your tenant.
Scope of Enforcement
The enforcement applies to all users attempting to access the following portals:
admin.microsoft.comadmin.cloud.microsoftportal.office.com/adminportal/home
Key Preparation Steps for IT Teams:
- Phased Rollout Check: While full enforcement hits on Feb 9th, many tenants have already seen phased prompts since early 2025. Don’t assume you’re safe just because you haven’t been “blocked” yet.
- Break-Glass Accounts: Even your emergency access accounts must use MFA. Best practice is to use phishing-resistant methods like FIDO2 security keys or Certificate-Based Auth (CBA) for these accounts.
- Service Accounts: If you are using a standard “user account” for automation or scripts that log into the Admin Center, those scripts will fail. Migrate these to Workload Identities (Service Principals) immediately.
My take: This is the most important “Quality of Life” update for your security posture this year. It removes the weakest link in your defense: the human-readable password.
References:
- Setup Guide: aka.ms/MFAWizard
- Verification Portal: aka.ms/mfasetup