Feb 27 2018
08:35 AM
- last edited on
Jan 14 2022
05:26 PM
by
TechCommunityAP
Feb 27 2018
08:35 AM
- last edited on
Jan 14 2022
05:26 PM
by
TechCommunityAP
We are not currently enforcing MFA for all users, but have sent out instructions to allow users to self-enroll in MFA (http://aka.ms/MFASetup). Looking at the status of users who I know have enabled MFA, it still shows Disabled for them in the Multi-Factor Authentication page (https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx).
Feb 28 2018 04:53 AM
You can try this Msolservice PowerShell query to get users MFA Status
Get-MsolUser -all | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}}
Feb 28 2018 06:44 AM
Thanks. For whatever reason, when I ran this with -All, it didn't return the MFA Status column. However, if I ran it with a single user or the -EnabledFilter EnabledOnly attribute, it worked.
Unfortunately, this shows the same as the GUI. Users that I didn't specifically 'Enable' for MFA have gone in and set it up. I can see via the Azure portal sign-in activity log, that they are in fact using MFA when they login (if they aren't logging in from a trusted IP), but I can't seem to find a way to display this for all users.
Get-MsolUser -EnabledFilter EnabledOnly | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} e lse { "Disabled"}}}
Feb 28 2018 07:05 AM
By those URLs you are letting users configure their authentication methods, but they are not enabling MFA for their accounts. You, as an admin, will have to enable and/or enforce MFA for them.
Feb 28 2018 07:12 AM
I had thought the same thing, but users are being prompted for MFA authentication every time after configuring it (unless connecting via the office/trusted IP), even though their status for MFA is still disabled. For now, I downloaded all of the logins into Excel and can figure out which ones are using MFA based on whether the MFA Required column is set to TRUE in any of their login attempts.
As an admin, I had asked for volunteers to turn on MFA multiple times and didn't get much response. After simply sending out the URL to have them do it themselves, it appears many users took advantage of it.
Feb 28 2018 07:22 AM
Do you have any Conditional Access rule enabled?
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
Feb 28 2018 07:26 AM
No, we just have MFA setup with a couple of trusted IP addresses.
Feb 28 2018 07:29 AM
Feb 28 2018 07:47 AM
I've run out of ideas, but for sure you need admin action to require MFA, either enabling it in Office 365/AAD, or in ADFS or a Conditional Access rule.
Feb 28 2018 07:58 AM
Maybe it is a bug, but it works. Try it out. I'd like it better, if it updated the status to Enabled...
Feb 28 2018 08:00 AM
SolutionNo, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.
Feb 28 2018 08:32 AM
Looks like you are correct, Pablo.
Although the sign-in logs show that MFA was required for users who went through the MFA setup process, it is only saying that when either they were in the Office location (MFA description says that MFA requirement satisfied by token) or they were elsewhere and setup or used the Self-Service Password Reset which must use the same MFA parameters to sign in / verify their account and/or reset/unblock their account.
I guess I still have to ask users to be put on the MFA list and manually intervene.
Feb 28 2018 08:53 AM
Correct, you need to find out how MFA is enabled for those users
Mar 01 2018 12:21 AM
Apr 26 2018 07:13 AM
It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out. You will notice the apppassword tab is missing as when till enabled. I have found if users prefill out this form there is a problem in the 2factor process. I need to reset all users that pre filled out form. The hole process of enable and auto enforce makes the 2 factor process very difficult to role out. The app password on the phone is the hardest for people to understand as well. You have no idea how long it will take to use the new app password on the phone. Also the tab for app passwords does not even look like a tab and is often over looked by end users. The visibility into the whole process is a complete different experience form Duo, reports what reports ! Microsoft = NO reports of value... with out PowerShell.
Jul 28 2018 01:45 AM
couldn't agree more with Colin
@Colin Kness wrote:The app password on the phone is the hardest for people to understand as well. You have no idea how long it will take to use the new app password on the phone. Also the tab for app passwords does not even look like a tab and is often over looked by end users.
Sep 05 2018 01:48 AM
What is the difference between enabled and enforced for
StrongAuthenticationRequirements.State
?
I can see enabled users with methods active, don´t really understand this.
Sep 10 2018 08:37 PM
Magnus,
You can find the different user states for user MFA here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
The description column in each of the states describes the state.
However, many organizations are using Conditional Access to invoke MFA, or policy based MFA which will show the users as Disabled for user state. This is because the user may be registered for MFA (has methods registered) but is not enforced on every authentication, and using the sign in state and policies to invoke MFA. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Jef
Nov 23 2018 05:42 AM
It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out. You will notice the apppassword tab is missing as when till enabled.
That is not correct. Microsoft officially says here that:
Once you enable the conditional access policy, users will be forced to enroll the next time they use an app protected with the policy. If you enable a policy requiring MFA for all users on all cloud apps, this action could cause headaches for your users and your helpdesk. The recommendation is to ask users to register authentication methods beforehand using the registration portal at https://aka.ms/mfasetup. Many organizations find that creating posters, table cards, and email messages helps drive adoption.
Feb 28 2018 08:00 AM
SolutionNo, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.