Forum Discussion

TonyRedmond's avatar
TonyRedmond
MVP
Jun 14, 2024

Per-User MFA State Added to Tenant Passwords and MFA Report

A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now ...
Azure AD
powershell
TonyRedmond's avatar
TonyRedmond
MVP
Jun 14, 2024

KingsleyU You can have as many authentication methods registered as you like, but that only tells you that an account is prepared to use MFA. It does not tell you that the account uses MFA, which is why the report script uses the interactive sign-in log to verify when accounts last completed a successful MFA connection. Also, the registration methods are available using the 

Get-MgBetaReportAuthenticationMethodUserRegistrationDetail cmdlet, so you don't need to go near the Entra admin center to fetch this information.
 
The new Graph information is available as a property of user accounts. It isn't tied to any Entra ID license.

 

KingsleyU's avatar
KingsleyU
Brass Contributor
Jun 18, 2024

TonyRedmond 

Thanks for the information.

Typically when a user account has been enrolled for MFA, it is only optional for the next 14 days after when it becomes mandatory.

Hence, the attribute provides a granular detail of the user account's MFA state, easily, otherwise, the sign-in report should provide information whether or not the user's account was signed in with MFA and when it was last authenticated.

 

Thanks.

  • TonyRedmond's avatar
    TonyRedmond
    MVP
    Jun 18, 2024
    That's why the report uses sign-in data to say when users last signed in successfully using an MFA method...