Forum Discussion

MVP

Jun 14, 2024

Per-User MFA State Added to Tenant Passwords and MFA Report

A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now ...

Azure AD

powershell

KingsleyU

Brass Contributor

Jun 14, 2024

TonyRedmond

The MFA state of a user's account has always been available in the User Registration Details under Monitoring in Authentication Method, except that it requires the Entra ID plan 2 license.

Is the new inclusion, in Microsoft Graph SDK, available for Entra ID plan 1 subscription too?

Thanks.

TonyRedmond

MVP

Jun 14, 2024

KingsleyU You can have as many authentication methods registered as you like, but that only tells you that an account is prepared to use MFA. It does not tell you that the account uses MFA, which is why the report script uses the interactive sign-in log to verify when accounts last completed a successful MFA connection. Also, the registration methods are available using the

Get-MgBetaReportAuthenticationMethodUserRegistrationDetail cmdlet, so you don't need to go near the Entra admin center to fetch this information.

The new Graph information is available as a property of user accounts. It isn't tied to any Entra ID license.

KingsleyU
Brass Contributor
Jun 18, 2024
TonyRedmond
Thanks for the information.
Typically when a user account has been enrolled for MFA, it is only optional for the next 14 days after when it becomes mandatory.
Hence, the attribute provides a granular detail of the user account's MFA state, easily, otherwise, the sign-in report should provide information whether or not the user's account was signed in with MFA and when it was last authenticated.

Thanks.
- TonyRedmond
  MVP
  Jun 18, 2024
  That's why the report uses sign-in data to say when users last signed in successfully using an MFA method...