Microsoft is leveling up account security. 🔐 Now, Microsoft requires MFA for credential management activities, such as password changes. This is an added layer of protection for sensitive actions.

What is the Impact of this Change?

Previously, users only had to authenticate when signing into Microsoft 365. Now, Microsoft requires MFA whenever users:

  • Manage their credentials in My Sign-ins page.
  • Access the My Sign-ins portal to review recent activity.

This update requires users to complete multi-factor authentication if they haven’t authenticated within the last 10 minutes of their current session.

MFA for Password Changes
MFA for My Sign-ins Page

When is the Change?

📅 The rollout started on Aug 15, 2025, but Microsoft states that action is required by Sep 15. The timeline is a bit confusing, anyway admins should act now to prepare users to handle MFA prompts for password changes or any credential management activities.

Why it Matters?

Microsoft’s goal is clear: protect critical account operations with stronger safeguards. Requiring MFA for credential management helps reduce the chance of compromise. However, they can also lead to MFA fatigue attacks, where users carelessly approve repeated prompts.

To stay ahead, admins should inform users and prepare them for this update. Additionally, they should enable stronger MFA methods such as number matching or phishing-resistant MFA options, and train users to recognize and reject suspicious prompts.