Microsoft has announced that it will begin enforcing multi-factor authentication (MFA) for all users signing in to the Microsoft 365 admin center, a move aimed at strengthening security and reducing the risk of account compromise. According to the announcement, the new requirement will take effect on February 9, 2026, and will apply to all tenants accessing Microsoft 365 administrative portals.

Once enforcement begins, administrators who do not have MFA enabled on their accounts will be blocked from signing in to Microsoft 365 admin center endpoints. These include commonly used URLs such as admin.microsoft.com, admin.cloud.microsoft, and portal.office.com/adminportal/home. Microsoft says this change is designed to ensure that privileged access to organizational settings, user management, and licensing is protected by more than just a password.

MFA adds an additional verification step during sign-in, typically requiring users to confirm their identity using a mobile authenticator app, a one-time SMS or voice code, or a hardware security key. Microsoft notes that MFA is one of the most effective defenses against credential-based attacks, significantly reducing the likelihood of successful phishing and password-spraying campaigns.

The company is urging organizations to prepare in advance to avoid administrative lockouts or service disruptions. Administrators who attempt to access the Microsoft 365 admin center without MFA after the enforcement date may find themselves unable to perform essential IT tasks, such as managing users, configuring security settings, or handling billing and subscriptions. To prevent this, Microsoft recommends that all admin accounts have at least one MFA method configured well before February 2026.

This move is part of Microsoft’s broader security strategy to make MFA mandatory across critical cloud services. The company has already enforced MFA for Azure portal access across all tenants, and in recent years has expanded these requirements to cover Azure command-line tools, PowerShell, SDKs, and APIs. By extending similar protections to the Microsoft 365 admin center, Microsoft aims to close one of the remaining high-value attack surfaces frequently targeted by threat actors.

Organizations can enable MFA using Microsoft’s built-in security features, such as Security Defaults or Conditional Access policies in Microsoft Entra ID. Admins who have not yet registered MFA methods will be prompted to do so during sign-in once enforcement begins, but Microsoft strongly advises completing enrollment proactively rather than waiting until access is blocked.

Overall, the upcoming enforcement underscores Microsoft’s position that MFA is no longer optional for privileged access. As cyberattacks continue to target cloud administrators, the company is making stronger authentication a baseline requirement to protect customer environments and sensitive organizational data.