Forum Discussion
secure score not improving: ensure all users can complete MFA
jfinNZ Hello, I believe you're correct. The complete list contains statuses disabled, enabled and enforced. For example, "You have 13 out of 25 users with administrative roles registered and protected with MFA." The 13 are enforced and the rest either enabled or disabled.
"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."
Azure Multi-Factor Authentication user states
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-multi-factor-authentication-user-states
I think I can articulate the issue... (proceeds to re-write his post several times over the course of the day)
The MFA secure score items appear to be looking at the MFA state of sign-on allowed users.
The recommended conditional access policy may block sign-ons where MFA isn't enabled, or prompt the users to register for MFA, but the conditional access policy doesn't directly affect the score.
"Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. "
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Only manually setting all of the user accounts to MFA "enforced" would DIRECTLY improve this score item?? ... (but the above link warns that is not good practice).
If you have significant amounts of shared mailboxes or other user accounts that never complete the MFA process, you will never get the significant score improvement from setting the conditional access policy.
A workaround is to set all of those unused accounts or shared mailboxes to "block sign-in" and then they won't count against the score. see https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide
Recommended solution for the secure score: Grant full points if the recommended conditional access policy is set, otherwise grant points proportional to the % of MFA enabled users.
If you have any Multi-function printers that send scans by email, or shared mailboxes accessed via external apps, it is almost certain that they cannot use MFA.
MFA is not the only way to secure accounts like this, but the Identity Security score doesn't allow for anything else. Of course it is a guide, but also a waste of time if there are recommendations that are impossible to follow, which ultimately means many people will end up ignoring all the recommendations.
jfinNZ Good input! I actually know that it doesn't change the state, but I thought it only looked at whether the actual registration process is completed or not, if that makes any sense. I have to do some research on this (can't say the Secure Score is within my "comfort zone"!).
