Microsoft gave administrators additional flexibility in managing Windows updates and clarified what that meant, saying: “Microsoft will require MFA for all Azure users.”
The change to the Windows Update for Business Deployment Service is expected to reach general availability by May 24. It allows feature updates to be offered as options rather than being forced installed.
Previously, feature updates were offered to organizations as required updates. IT admins could set a deployment schedule or set deferrals, but updates – and a reboot – would be forced on users after a few days.
It’s a small thing, but it will make life easier for administrators tasked with managing a fleet of Windows devices. Administrators can now offer optional feature updates, allowing users to choose when to install the update. When it’s time to force the deployment, the administrator simply needs to perform the required update.
This change coincides with Microsoft clarifying what it means when it states that MFA would be required for all Azure users.
The company raised alarm bells among admins with a May 14 post in which it warned that multi-factor authentication (MFA) would be a requirement for Azure tenants and would begin rolling out starting in July.
Strengthening security is not a bad thing and Microsoft deserves to be applauded for its action. However, its implementation and communication left something to be desired as customers filled comment forums with concern. How would service accounts work? What about specific use cases, such as places – like schools – where phones weren’t allowed?
Directions’ Microsoft analyst Mary Jo Foley noted a Microsoft update hidden among the furor that clarified things a bit.
Azure Senior Project Manager Naj Shahid took to the comments to try to explain how this was all going to work. First, the scope includes users who sign in to the Azure portal, CLI, PowerShell, or Terraform to administer Azure resources. Second, service principals, managed identities, workload identities, and similar token-based accounts used for automation are excluded.
Shahid said: “Microsoft continues to collect customer feedback for certain scenarios such as broken accounts and other special recovery processes.”
Any supported MFA method can be used, although Shahid cautioned that it would not be possible to opt out. An exception process will be available for cases where no other workaround is possible.
Although the deployment of the application will be gradual, Shahid stressed the importance of taking action, saying: “Don’t wait to implement the MFA.”
Assuming, of course, that you can. ®
