Forum Discussion
Per-User MFA State Added to Tenant Passwords and MFA Report
A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now see if accounts are disabled, enabled, or enforced for per-user MFA along with all the other information captured about passwqrd changes, MFA authentication methods, and so on.
6 Replies
- The "Per-User MFA State Added to Tenant Passwords and MFA Report" update refers to the addition of detailed per-user multi-factor authentication (MFA) status to a tenant-level report in cloud or enterprise security systems. This allows administrators to view and manage individual MFA settings for users within an organization. The report helps track compliance, identify users without MFA enabled, and enhance overall security. It’s a valuable tool for ensuring that MFA is properly enforced across all user accounts, improving security posture.
The MFA state of a user's account has always been available in the User Registration Details under Monitoring in Authentication Method, except that it requires the Entra ID plan 2 license.
Is the new inclusion, in Microsoft Graph SDK, available for Entra ID plan 1 subscription too?
Thanks.
KingsleyU You can have as many authentication methods registered as you like, but that only tells you that an account is prepared to use MFA. It does not tell you that the account uses MFA, which is why the report script uses the interactive sign-in log to verify when accounts last completed a successful MFA connection. Also, the registration methods are available using the
Get-MgBetaReportAuthenticationMethodUserRegistrationDetail cmdlet, so you don't need to go near the Entra admin center to fetch this information.The new Graph information is available as a property of user accounts. It isn't tied to any Entra ID license.Thanks for the information.
Typically when a user account has been enrolled for MFA, it is only optional for the next 14 days after when it becomes mandatory.
Hence, the attribute provides a granular detail of the user account's MFA state, easily, otherwise, the sign-in report should provide information whether or not the user's account was signed in with MFA and when it was last authenticated.
Thanks.
- The Per-User MFA State has been added to the Tenant Passwords and MFA Report, providing detailed information on each user's MFA status within the tenant. This enhancement allows for better tracking and management of MFA implementations across users.
