Login
Enforcement of Multi-Factor Authentication

Enforcement of Multi-Factor Authentication in Microsoft 365 Tenants

To increase security and shield user accounts from unwanted access, Microsoft has announced that Multi-Factor Authentication (MFA) will be enforced for all Microsoft 365 tenants. This action is part of a broader initiative to improve security and reduce security breaches.
This is impacting migration tools and procedures and any application that need service accounts to operate.

See official annoucements:

Mandatory multifactor authentication

Enable Multi Factor Authentication by October 2024

 

 

What is MFA?

Multi-Factor Authentication (MFA) is a security mechanism that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. This additional layer of security makes it significantly harder for attackers to gain access, even if they have obtained the user’s password.

 

Impact of Enforcement of Multi-Factor Authentication in Microsoft 365 Tenants

The enforcement of MFA in Microsoft 365 tenants means that all users will need to authenticate using multiple factors, such as a password and a mobile app verification code, before accessing their accounts. This change will have several impacts:

  • Enhanced Security: The risk of unauthorized access is significantly reduced since a stolen password does not expose company data anymore.
  • User Experience: Users will need to adapt to the new authentication process. Proper training and communication are essential to ensure a smooth transition.

Compatibility with Migration Tools

Migration tools that interact with Microsoft 365 tenants must be updated to support MFA. Actually, they must not use usernames/passwords anymore because background tasks cannot handle the additional mfa steps. Rather, they must use Entra ID applications with secrects or certificates. This may impact EWS protocol, powershell scripts and tasks that are sending mails. These scripts or code must be switched to use Entra ID applications.

Cloudiway Roadmap

Cloudiway has proactively addressed the upcoming changes in Microsoft’s MFA requirements, incorporating them into our product roadmap to ensure seamless functionality for our customers.

EWS (Exchange Web Services) Changes:

Cloudiway is now using Entra ID authentication in EWS instead of Username/password.  In a future release, EWS will be completely removed and replaced by Graph API due to the Microsoft initiative to discontinue EWS.

Powershell change

Powershell is now using Entra ID Applications : Use Powershell with Entra ID Applications

we have evolved our PowerShell layer to use Entra ID Application with Certificate authentication, replacing the previous method based on username and password.

Current Limitations

Currently, there are few identified limitations that are not addressed yet. It means that when MFA will be enforced, the following features will be broken as long as Microsoft does not provide a solution.

  1. Teams Migration: Private channels migration requires Graph api using delegated tokens ( = MFA authentication). Migration of private channels is currently not possible in tenants with MFA enforced.
Explanation: injections of messages cannot be done using application permissions when the channel is not in “Migration mode”. Private channels have the particularity that they cannot be created in “Migration Mode”.
This means that messages can only be injected into private channels using a delegated token… and this is subject to MFA .

  1. Devices migration. Devices are joined to the target tenant using a provisioning package. Once joined, the owner is by default the associated identity of the provisioning package. The api that is used to modify the owner of the device in the Intune device list is using the delegated mode. The application mode is not available yet in graph api. Changing the owner of the device is currently not possible in tenants with MFA enforced.

Conclusion

Cloudiway migration platform is now ready at 99% for the enforcement of MFA. Cloudiway is monitoring the changes in graph apis and will address the above limitations as soon as Microsoft is providing a solution for these issues.

In the meantime, MFA can still be disabled for migration accounts and Microsoft will probably give one or two additional years before enforcing MFA for all accounts. This should give them enough time to provide programmatic solutions for the remaining issues.

cloudiway white
Cloudiway provides innovative solutions
for efficient data migration and enterprise coexistence. A smart ally to master each transition to the cloud and ensure productivity and high business performance.
 

Follow Us

Facebook-f Twitter Youtube Linkedin-in

Quick Links

CLOUDIWAY DEVELOPS A SAAS PLATFORM THAT ALLOWS INFORMATION TECHNOLOGY BUSINESSES TO MIGRATE MAILBOXES, FILES, DRIVES, GROUPS, TEAMS, CONVERSATIONS, AND MORE BETWEEN DIFFERENT TENANTS AND COLLABORATION TOOLS.
ISO 27001
Mail Migration
IMAP Migration
Google Migration
Exchange Migration
Lotus notes Migration
Zimbra Migration
Enterprise Coexistence
Enterprise Coexistence
File Migration
Google Drive Migration
OneDrive Migration
Google Shared Drives Migration
Box Migration
Dropbox Migration
Archive Migration
Google Vault to Microsoft 365 Migration
Microsoft 365 Online Archive Migration
Site Migration
Google Sites to SharePoint Migration
SharePoint Migration
Tenant Migration
Microsoft 365 tenant to tenant Migration
Google Workspace to Microsoft 365 Migration
Microsoft 365 to Google Workspace Migration
Intune and Devices Migration
Teams Migration
Google Groups to Office 365 Migration
Slack to Teams Migration
Slack to Google Chat Migration
Microsoft Teams to Teams Migration
Microsoft Teams to Google Chat Migration
Google Chat to Microsoft Teams Migration
Other Sites
Lead Generation Platform
Dev Tools

© 2025. All Rights Reserved.