MFA using Conditional Access Policy

Thank you, VasilMichev.

Yes, communication is key for implementing additional security, such as MFA.

Informing users to access aka.ms/proofup is a good option to enforce MFA registration. I gave it a try and will consider it as an option for our MFA roll out.

Going back to our company scenario, where MFA will be rolled out using Conditional Access (CA) policy based on TrustedIPs, I think I found a way to determine if a user setup MFA or not. The results are based on the tests I did with accounts that I enabled for MFA manually and ones that setup MFA via CA policy. It is by no means perfect. Monitoring if accounts applied MFA via CA policy will be a challenge, until Microsoft provides the tools to do so. What I did:

1. When a user's MFA account properties are manually changed from Disable, to Enable and then Enforced, the MFA state shows "Enforced" when I use this PS command:

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | select UserPrincipalName,@{N='MFA State';E={($_.StrongAuthenticationRequirements.State)}}

Sample Output:

UserPrincipalName       MFAState

Test1                             Enforced

2. But when I an account uses the MFA Conditional Access (CA) Policy to setup MFA, and I run the same command, the results show the following:

UserPrincipalName       MFAState

Test1                             Enforced

Test2

MFA Status is blank in PS, and shows still as disabled in the Azure MFA user admin.

3.To really verify that Test2 enforced MFA via CA policy, I wanted to disable MFA on Test2 and then have it setup MFA via CA policy again. How do I disable MFA on Test2 is Azure AD MFA shows its MFA as disabled and PS shows its MFA status as blank?

Using the MFA admin portal, for Test2, I checked the  "Require selected users to provide contact methods again" and the "Delete existing app passwords" for the user's MFA settings resets MFA for the user.

After resetting these MFA settings for the user, I ran the PS command I used before and Test2 is no longer in the list of users that have MFA enforced. So MFA has been reset.

4. Applying the MFA CA policy on Test2, I configured Test2's MFA. Now when I ran the MFA PS command above, it shows in the list, but no MFA status. But it shows that MFA has been enforced - and it is very likely because of the CA policy applied on Test2.

To double-check, I looked up the MFA status of Test2 in Azure AD Sign ins, it showed that MFA sign-in was successful, MFA was required and enforced on this account.

Running these tests, it appears that if MFA is applied using CA policy, the user MFA state changes to "Enforced" even if the PS command does not show the MFA status of the user.

Moving forward, I think I will use that MFA PS command and run it as a scheduled task that gives me a report, let's say every hour. The user account names that are in that list tells me who actually setup MFA for their accounts via CA policy (even though the MFA status does not show as enforced in the PS command).

I can double-check the names in that list and the results in "Azure AD - Sign-ins - user (type in userID)". The results include columns for Sign-in Status, MFA Required, MFA Result. The "MFA Required" shows "Yes", "MFA Result" should show "MFA Requirement satisfied by claim in the token".

Not the method of confirmation that I am hoping to use to check if users setup MFA using the CA policy, but something to have until Microsoft provides better tools to manage and report on MFA as applied with CA policy.

I hope this helps other admins faced with determining if MFA was applied via CA policy on user accounts.