Apr 23 2024 04:49 AM
Good morning, everybody.
I am responsible for maintaining a SecureScore at a fairly high level in an organization.
The recommended actions include "Verify that MultiFactor Authentication is enabled for all users" and this one concerns me.
For about a year and a half, conditional access has been put in place to ensure that no account is forgotten. It's all working fine.
Problem, the recommended action in the SecureScore reports that only 256 users out of 317 have MFA enabled. As I dig deeper, I realize that among those 317 users, there are the shared boxes, resource calendars (room and equipment), and guest users that are included.
Since 2FA cannot be set up on a resource calendar or on a shared mailbox, how can I make sure that these are not included in the list?
Would it be possible to add a feature to have the ability to exclude certain types of accounts from the Secure Score calculation, or to change the calculation directly?
Apr 23 2024 07:01 AM
Do I understand correctly that you excluded these accounts from the policy? In any case, this would not be the intention. If you have a policy on for all users with no exclusions this advice should not be given. Be sure to share your MFA policy with us!
Apr 23 2024 07:08 AM - edited Apr 23 2024 07:08 AM
@JosvanderVaart We cannot exclude these accounts from the "secure score checking" :
(sorry it's in French)
I have 264 users with 2FA enabled (perfect !) but the 63 left doesn't have 2FA enabled. These accounts are resource calendar, shared mailbox, and external users.
The logique would be to exclude the accounts which cannot have 2FA enabled, right ?
Apr 23 2024 07:09 AM
Apr 23 2024 07:50 AM
I didn't make that policy myself, I give you what I found :)
Apr 29 2024 12:34 AM