Forum Discussion
Where does "Require MFA for administrative roles" count come from?
EvanTse I highly recommend the MS docs for your questions.
1. Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user.
2. You shouldn't enable or enforce users if you're using Conditional Access policies. As for viewing user status I believe PowerShell is the way to go.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
EvanTse Hello, this sounds really familiar as it's quite a mess figuring out the Secure score sometimes. You can filter admins from the M365 portal (Users - Active users - Filter) and to view the MFA state of users you can either use the M365 or Azure portal (in the menus under "Users"). This can also be done with PowerShell, but as a best practice it shouldn't be that many admins to manage so the portal should suit one's needs.
I believe the count you're seeing is telling you that 18 are "enforced" and 22 accounts are either "enabled" or "disabled".
"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."
News for Secure score
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwide#whats-new
Azure MFA user states
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Thanks for the reply ChristianBergstrom!
The information you provided is great.
To delve deeper into my question, the recommendation is to use conditional access policies to manage MFA. We have followed the recommended set up and are seeing there are some admin accounts not registered.
I have 2 questions:
- Does conditional access policies update the Azure AD MFA state (from my testing it does not appear to be the case)
- I have activated MFA on an global admin account then went to Azure > users > MFA and found that the account states MFA is disabled. I then tried to log in with an incognito session that prompted for MFA.
- Is there a way to see which users do not have MFA set up (assuming that conditional access policies don't actually update the MFA dashboard in Azure).
- If this is the case, then would the recommendation be to go to the MFA dashboard in Azure and then manually set the MFA state to enforced for admin accounts
- AND if we do this, then will there be adverse affects with the Azure enforcement and conditional access policy
- If this is the case, then would the recommendation be to go to the MFA dashboard in Azure and then manually set the MFA state to enforced for admin accounts
Apologies for the long reply.
EvanTse I highly recommend the MS docs for your questions.
1. Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user.
2. You shouldn't enable or enforce users if you're using Conditional Access policies. As for viewing user status I believe PowerShell is the way to go.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
ChristianBergstrom Thanks heaps for the extra information!
- Does conditional access policies update the Azure AD MFA state (from my testing it does not appear to be the case)
