Forum Discussion
secure score not improving: ensure all users can complete MFA
I think I can articulate the issue... (proceeds to re-write his post several times over the course of the day)
The MFA secure score items appear to be looking at the MFA state of sign-on allowed users.
The recommended conditional access policy may block sign-ons where MFA isn't enabled, or prompt the users to register for MFA, but the conditional access policy doesn't directly affect the score.
"Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. "
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Only manually setting all of the user accounts to MFA "enforced" would DIRECTLY improve this score item?? ... (but the above link warns that is not good practice).
If you have significant amounts of shared mailboxes or other user accounts that never complete the MFA process, you will never get the significant score improvement from setting the conditional access policy.
A workaround is to set all of those unused accounts or shared mailboxes to "block sign-in" and then they won't count against the score. see https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide
Recommended solution for the secure score: Grant full points if the recommended conditional access policy is set, otherwise grant points proportional to the % of MFA enabled users.
jfinNZ Good input! I actually know that it doesn't change the state, but I thought it only looked at whether the actual registration process is completed or not, if that makes any sense. I have to do some research on this (can't say the Secure Score is within my "comfort zone"!).