Microsoft has made Multi-Factor Authentication (MFA) mandatory for Azure and administrative portals. This article explains how Cloudiway complies with these requirements and identifies specific migration scenarios where MFA exceptions may be necessary due to technical limitations.
Overview
Starting October 2024, Microsoft requires MFA for all users signing into Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Cloudiway adheres to these mandatory MFA requirements by implementing robust authentication methods that align with Microsoft's guidelines.
Microsoft's MFA Requirement
Cloudiway MFA Compliance
Cloudiway uses modern authentication methods including OAuth 2.0 and certificate-based authentication for most migration operations. These methods are fully compatible with MFA-enabled environments and represent best practices for enterprise security.
Security First Approach
Cloudiway prioritizes security and recommends keeping MFA enabled whenever possible. The exceptions listed below are only for specific technical scenarios where MFA cannot be used.
Exceptions by Product
Due to technical constraints in certain APIs and legacy systems, some migration operations may require MFA to be temporarily disabled on specific service accounts. Below are the detailed scenarios organized by product:
Mail Migration
The following mail migration operations may require MFA exceptions:
- PowerShell operations - When Exchange roles lack App authentication support
- Get List and Audit functions - Source tenant operations
- Permission migration - Both source and target tenant operations
- Pre-processing tasks - For shared mailboxes, distribution lists, and Google Groups
File Migration
File migration scenarios requiring MFA exceptions:
- OneDrive list retrieval - Including shared mailbox identification
- Large file downloads - Requires Basic Authentication for files exceeding standard limits
- Target OneDrive creation - Operations using CSOM (Client Side Object Model)
Site Migration
SharePoint and site migration exceptions:
- SharePoint large file downloads - Requires Basic Authentication
- Classic SharePoint webpart migration - Legacy webpart handling
Teams & Collaboration Migration
Collaboration and messaging migration exceptions:
- Slack to Teams migration - Direct messaging operations
- Teams to Teams migration - Cross-tenant chat operations
- Google Spaces to Teams - Messaging migration
- Office user chat operations - Non-API mode message push operations
GALSync Operations
Global Address List synchronization exceptions:
- GALSync pull functions - Retrieving directory information
- GALSync push functions - Writing directory information
- Cross-tenant provisioning - Initial setup and configuration
| Product | Operation | MFA Compatible | Notes |
|---|---|---|---|
| Mail Migration | Standard migration | Yes | Uses OAuth 2.0 |
| Mail Migration | PowerShell operations | Conditional | Depends on Exchange role configuration |
| File Migration | Standard file transfer | Yes | Uses Microsoft Graph API |
| File Migration | Large files (>4GB) | No | Requires Basic Auth |
| Teams Migration | Channels & messages | Yes | Uses Teams Import API |
| Teams Migration | 1:1 chat messages | Conditional | Depends on migration mode |
Recommendations
To ensure a secure and successful migration while complying with MFA requirements:
- Use dedicated service accounts - Create separate accounts specifically for migration operations rather than using personal admin accounts.
- Apply Conditional Access policies - Configure policies to allow MFA exceptions only from Cloudiway's IP ranges and only during the migration window.
- Enable MFA post-migration - Re-enable MFA on service accounts immediately after the migration is complete.
- Monitor audit logs - Keep track of all authentication activities on migration accounts.
- Use certificate-based authentication - Where possible, use EntraID applications with certificates instead of username/password credentials.