Microsoft has given administrators additional flexibility in managing Windows updates and clarified what it meant by stating: “Microsoft will require MFA for all Azure users.”
The change to the Windows Update for Business deployment service is due to reach general availability by May 24. It allows feature updates to be offered as optional rather than force-installed.
Previously, feature updates were offered to organizations as required updates. IT admins could set a rollout schedule or set deferrals, but the updates – and a restart – would be forced on users after a few days.
It’s a small thing, but it will make the lives of administrators tasked with managing a fleet of Windows devices easier. Administrators can now offer feature updates as optional, enabling users to choose when to install the update. When it’s time to mandate the deployment, the administrator simply needs to make the update required.
The change coincides with Microsoft clarifying what it meant when it said that MFA would be necessary for all Azure users.
The company set alarm bells ringing among administrators with a May 14 post in which it warned that multi-factor authentication (MFA) would be a requirement for Azure tenants, and would start rolling out from July.
Tightening up security is no bad thing, and Microsoft is to be applauded for its action. However, its implementation and communication left something to be desired as customers filled the feedback forums with alarm. How would service accounts work? What about specific use cases, such as places – like schools – where phones weren’t permitted?
Directions on Microsoft analyst Mary Jo Foley noted an update from Microsoft hidden among the furor that clarified things a bit.
Naj Shahid, an Azure Principal Project Manager, waded into the comments in an attempt to explain how it was all going to work. First, the scope includes users signing into the Azure portal, CLI, PowerShell, or Terraform to administer Azure resources. Second, service principals, managed identities, workload identities, and similar token-based accounts used for automation are excluded.
Shahid said: “Microsoft is still gathering customer input for certain scenarios such as break-glass accounts and other special recovery processes.”
Any supported MFA method can be used, although Shahid warned that opting out would not be possible. An exception process will be available for cases where no other workaround is possible.
While the rollout of the enforcement will be gradual, Shahid emphasized the importance of making the move, saying: “Don’t wait to set up MFA.”
Assuming, of course, that you can. ®