Microsoft Azure goes ‘Secure by Default’ – Are you ready?

What exactly is changing?

Microsoft Azure introduces a number of important security changes:

✅ No default outbound Internet access for new VMs

• New virtual machines (VMs) will no longer have automatic outbound Internet connections. This makes it more difficult for attackers to compromise systems over insecure connections.

✅ End of legacy MFA methods 📵

• Microsoft discontinues outdated MFA methods such as SMS and phone-based authentication¹.
• Users are encouraged to move to modern MFA solutions², such as:
  • Microsoft Authenticator app 📲
  • FIDO2 security keys 🔑
  • Windows Hello for Business 🖥️

✅ Self-Service Password Reset (SSPR) policy change

• The old SSPR policies are being phased out and must be migrated to the new Microsoft Entra ID³ converged authentication policy.

 

 

What does this mean for your organization?

🔹 Stronger security – By not allowing Internet access by default and removing outdated MFA methods, Azure becomes more secure.
🔹 Action required – Organizations need to review and adjust their VM settings and authentication policies.
🔹 Preventing operational disruptions – If your systems rely on outbound Internet access or legacy MFA, it’s smart to review them in a timely manner.

 

How do you prepare?

🛠️ 1. Check your VM configurations

• Do your existing VMs need outbound Internet access? Then you should consider alternative solutions such as Azure Firewall or NAT Gateway.

🔑 2. Update your MFA settings.

• Make sure all users switch from SMS/phone MFA to modern authentication methods such as the Microsoft Authenticator app or FIDO2 keys.

🔄 3. Migrate your SSPR policies.

• Check your Self-Service Password Reset settings and migrate them to Microsoft Entra ID’s new authentication policy.

📢 4. Inform your team

• Make sure employees and administrators are aware of these changes and switch to the new security standards in time.

 

Last chance: Switch in time!

With this, Microsoft is taking a big step toward a more secure cloud environment. These changes could impact your existing infrastructure, so don’t wait too long to prepare. Sept. 30, 2025 seems far away, but a smooth transition requires time and planning.

Are you already prepared?

 

References

¹https://learn.microsoft.com/entra/identity/authentication/how-to-authentication-two-way-sms-unsupported

²https://alta-ict.nl/blog/mfa-in-microsoft-365-welke-methode-kies-jij/

³https://learn.microsoft.com/entra/identity/authentication/tutorial-enable-sspr

 

About the author

My name is Alta Martes, a specialist in Microsoft 365 and Google Workspace, with a focus on modern workplace management, cloud security and identity & access management. With years of experience, I help organizations optimize their IT infrastructure and create a secure, efficient digital workplace.

🎯 Need help with your Microsoft 365 strategy?
Click below and find out how we can support your organization: