TABLE OF CONTENTS
- Why MFA matters?
- What is MFA Audit?
- What makes a user protected with MFA?
- MFA tenant configurations
- Tenants Configuration table
- Users Configuration table
- What to do when a user is not protected?
- Notes
Why MFA matters?
MFA adds an additional layer of security beyond just a username and password. Even if an attacker manages to obtain the password, they would still need the second factor to gain access. With the rise of phishing attacks and other methods of stealing credentials, MFA helps prevent unauthorized access. It significantly reduces the risk that a compromised password will lead to a security breach.
What is MFA Audit?
In Office Protect, we added a new tool that helps you get an overview of all your MFA configurations and potential MFA issues among your tenants and users.
From MFA Audit, you can:
- Quickly identify MFA configuration gaps across your tenants.
- Detect registration issues with MFA authentication methods.
- Gain comprehensive insights into the MFA protections currently in place and generate a PDF report.
Note If your organization uses a third-party MFA solution, the MFA Audit feature will not be able to detect or reflect your users' MFA status. This feature only audits MFA configurations managed directly within Microsoft 365.
What makes a user protected with MFA?
For a user to be protected with MFA, they must be covered by an MFA policy (enabled on the tenant), AND have registered with a valid authentication method that supports MFA:
- Microsoft Authenticator,
- Fido2,
- Windows Hello for Business,
- Hardware/Software Token,
- Certificate,
- Temporary Access Pass,
- Phone (Voice, SMS) - Weak MFA authentication method,
- Email - Weak MFA authentication method.
MFA tenant configurations
The following configurations can be used to enable MFA on a tenant:
- Security Defaults:
- Available to all tenants.
- Not granular.
- Not compatible with Conditional Access Policies.
- Conditional Access Policies:
- Available to Microsoft Business Premium licenses.
- Very granular: a conditional access policy can be applied to specific users and/or to specific conditions (IP, network, applications, user risk, sign-in risk, device,…). In this tool, we will call "Partial MFA CAP" conditional access policies applying in specific conditions, and "MFA CAP" conditional access policies applying in all conditions.
- Not compatible with Security Defaults.
- Per-User MFA (not recommended):
- Available to all tenants.
- Granular at a user-level.
- Compatible with both Security Defaults and Conditional Access Policies (not recommended).
- This solution is being decommissioned by Microsoft. The end of Per-User MFA is planned for 2025 with no more details.
Tenants Configuration table
This table lists all of your tenants, their MFA configuration(s) and some KPIs:
Configuration:
- Full coverage - Policy covering everyone, in all conditions. If any of these two policies is enabled, partial MFA CAP and Per-User MFA will not be reflected.
- Security Defaults
- MFA CAP: MFA Conditional Access Policy covering everyone in all conditions
- Partial coverage - Policy partially covering your users, or per-user MFA:
- Partial MFA CAP
- Per-User MFA
- No coverage - No Configuration
KPIs: each KPI is clickable and will filter the users configuration table
- Total Users: number of active users in the tenant
- Not Covered by Policy: number of active users not covered by any MFA policy
- Not registered: number of active users not registered on any valid MFA authentication method
- Partially covered by policy: number of active users covered by a partial MFA policy (MFA CAP covering them in specific conditions)
Users Configuration table
This table reflects the list of active users in the tenant, MFA configuration(s) covering them and valid MFA authentication methods registered.
Admin Role:
- Privileged Admin
- Admin
List of privileged admin and admin roles
MFA Conclusion:
- Protected - User is both registered on a valid MFA authentication method and covered by a full coverage MFA policy
- Not protected - User is not registered on a valid MFA authentication method and/or not covered by a MFA policy
- Partially protected - User is registered on a valid MFA authentication method but covered with a partial MFA conditional access policy (applying in specific conditions)
MFA Configuration: list of MFA policies covering the user. Partial MFA Conditional Access Policies are flagged with an orange pictogram that provides you with the Conditional Access Policies' details.
MFA Authentication methods: list of valid MFA authentication methods registered on the user's account.
Last sign-in data:
- Last Sign-in Date: User's last sign-in date. This data gets more accurate with M365 Business Premium licenses.
- Last Sign-In Requirement: Only with M365 Business Premium licenses. Reflects the type of authentication was required at the user's last sign-in.
- Last Sign-In Details: Only with M365 Business Premium licenses. More details on the last authentication.
- Last Sign-In Interpretation: Only with M365 Business Premium licenses. Reflects whether the last sign-in was successful.
What to do when a user is not protected?
If a user is not protected because of their MFA configuration:
- Go to the tenant's Set section and enable the Enable Multifactor Authentication (MFA) setting:
- Via Security Defaults
- Via Conditional Access Policy when available
- Or go to your Entra ID portal and enable Security Defaults, Create a custom MFA Conditional Access Policy, or enable Per-User MFA on the user (not recommended).
If a user is not protected because they did not register on any valid MFA authentication method:
- Review your allowed MFA authentication methods in your Entra ID portal (Protection tab)
- Make your users aware of the importance of MFA and ask them to register for an MFA method. They can do so from their Microsoft user profile.
Notes - Security Defaults allows a 14 days grace period during which users can snooze their registration. - Microsoft provides email templates you can use to send registration reminders to your users. - The Office Protect team is actively working on a feature that will allow you to send registration reminders email campaigns.
Notes
- The data reflected in this dashboard is refreshed each 7 days, and when you access the MFA Audit section. Refresh can take up to a few hours on large tenants. You can manually refresh a user's data from the users configuration table.
- If, for any reason, Office Protect cannot fetch oneof your tenants or users data, an error banner will be displayed.