Google to enforce Multi-Factor Authentication (MFA) for all users starting in 2025 on their Cloud platform.
In a significant move towards enhancing cybersecurity, Google Cloud, Microsoft Azure, and Amazon Web Services (AWS) are set to require multifactor authentication (MFA) for all users by the end of 2025. This shift, aimed at strengthening the security of cloud services, follows regulatory mandates such as the PCI DSS 4.0.1 universal MFA requirement.
Google Cloud will begin encouraging users to enrol in MFA this month, with a firm mandate for all users by early 2025. By this time, Microsoft Azure will have already implemented MFA for accounts signing into the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center when performing any Create, Read, Update, or Delete (CRUD) operation. This rollout will be extended to the Microsoft 365 admin center in February 2025.
Microsoft's MFA requirement will continue to expand, with enforcement for accounts signing into Azure CLI, Azure PowerShell, Azure mobile app, Infrastructure as Code (IaC) tools, and REST API endpoints performing Create, Update, or Delete operations beginning on September 1, 2025. Organisations facing complexity or technical barriers may request a postponement until July 1, 2026.
AWS, on the other hand, does not have a publicly stated universal MFA mandate date. However, users in regulated industries, such as the financial sector, will need to comply with industry regulations like APRA CPS 230 effective July 1, 2025, which require operational risk controls that often include multifactor authentication.
Google Cloud customers handling PCI-relevant data must comply with MFA universally by March 31, 2025, due to the PCI DSS 4.0.1 mandate.
The MFA rollout will occur in phases through the end of 2025, with all three providers endorsing the Cybersecurity and Infrastructure Security Agency's efforts to shift security responsibility from customers to vendors. This collective access policy change across major cloud providers will make it mandatory for all users who federate authentication into Google Cloud via identity providers.
It's worth noting that more than 70% of Google accounts used by regular product users already use MFA. Microsoft started requiring MFA for all Azure sign-ins in October, with plans to phase in MFA at sign-in for additional services in early 2025. AWS initiated a phased rollout of MFA for all users in June this year, following the mandate for most-privileged users earlier in the year.
This shift towards MFA mandates is part of a broader trend towards increased cybersecurity measures across the cloud industry. As cyber threats continue to evolve, it's essential for organisations to stay vigilant and ensure their cloud infrastructure is secure. Organisations should carefully review their cloud usage in the context of these timelines and prepare MFA implementations accordingly.
- Google Cloud is encouraging users to enrol in multifactor authentication (MFA) this month, with a firm mandate for all users by early 2025, aligning with cybersecurity efforts aimed at strengthening data-and-cloud-computing security.
- Microsoft Azure is currently implementing MFA for accounts signing into various admin centers and performing Create, Read, Update, or Delete operations, expanding to Azure CLI, PowerShell, mobile app, and other endpoints by September 1, 2025, as part of a commitment to cybersecurity technology.
- Organisations in regulated industries, such as the financial sector, will need to comply with multifactor authentication (MFA) requirements imposed by industry regulations like APRA CPS 230, even though AWS does not have a publicly stated universal MFA mandate date, emphasizing the importance of education-and-self-development for personal-growth in this evolving cybersecurity landscape.
%20for%20all%20users%20starting%20in%202025%20on%20their%20Cloud%20platform.){kind=link}