secure score not improving: ensure all users can complete MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-1432071%22%20slang%3D%22en-US%22%3Esecure%20score%20not%20improving%3A%20ensure%20all%20users%20can%20complete%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432071%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20created%20a%20conditional%20access%20rule%20for%20all%20users%20%2B%20all%20cloud%20apps%20%2Bany%20location%20to%20require%20MFA%20but%20the%20score%20hasn't%20increased%20in%20a%20week.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20notice%20it%20says%20%22%3CSPAN%3EYou%20have%2056%20out%20of%20183%20users%20registered%20and%20protected%20with%20MFA.%3C%2FSPAN%3E%22%20(which%20was%20the%20case%20before%20the%20conditional%20access%20policy).%26nbsp%3B%20(FYI%20this%20is%20a%20messy%20tenant%20with%20lots%20of%20previous%20users%20that%20have%20sign-in%20blocked%20and%20lots%20of%20users%20converted%20to%20shared%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20that%20mean%20that%20the%20score%20is%20actually%20evaluated%20on%20the%20%25%20of%20users%20that%20complete%20the%20MFA%20registration%3F%26nbsp%3B%20If%20so%2C%20the%20title%20of%20this%20item%20is%20misleading...%20it%20should%20just%20be%20called%20something%20like%20%25%20of%20users%20registered%20for%20MFA%20and%20the%20remediation%20steps%20should%20make%20clear%20that%20creating%20the%20policy%20doesn't%20guarantee%20score%20improvement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%20assist%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1432973%22%20slang%3D%22en-US%22%3ERe%3A%20secure%20score%20not%20improving%3A%20ensure%20all%20users%20can%20complete%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432973%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F657068%22%20target%3D%22_blank%22%3E%40jfinNZ%3C%2FA%3E%26nbsp%3BHello%2C%20I%20believe%20you're%20correct.%20The%20complete%20list%20contains%20statuses%20disabled%2C%20enabled%20and%20enforced.%20For%20example%2C%20%22You%20have%2013%20out%20of%2025%20users%20with%20administrative%20roles%20registered%20and%20protected%20with%20MFA.%22%20The%2013%20are%20enforced%20and%20the%20rest%20either%20enabled%20or%20disabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%22All%20users%20start%20out%20Disabled.%20When%20you%20enroll%20users%20in%20Azure%20Multi-Factor%20Authentication%2C%20their%20state%20changes%20to%20Enabled.%20When%20enabled%20users%20sign%20in%20and%20complete%20the%20registration%20process%2C%20their%20state%20changes%20to%20Enforced.%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20Multi-Factor%20Authentication%20user%20states%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%23azure-multi-factor-authentication-user-states%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%23azure-multi-factor-authentication-user-states%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1457662%22%20slang%3D%22en-US%22%3ERe%3A%20secure%20score%20not%20improving%3A%20ensure%20all%20users%20can%20complete%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1457662%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F657068%22%20target%3D%22_blank%22%3E%40jfinNZ%3C%2FA%3E%26nbsp%3BGood%20input!%20I%20actually%20know%20that%20it%20doesn't%20change%20the%20state%2C%20but%20I%20thought%20it%20only%20looked%20at%20%3CSPAN%3Ewhether%20the%20actual%20registration%20process%20is%20completed%20or%20not%2C%20if%20that%20makes%20any%20sense.%20I%20have%20to%20do%20some%20research%20on%20this%20(can't%20say%20the%20Secure%20Score%20is%20within%20my%20%22comfort%20zone%22!).%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1457595%22%20slang%3D%22en-US%22%3ERe%3A%20secure%20score%20not%20improving%3A%20ensure%20all%20users%20can%20complete%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1457595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20can%20articulate%20the%20issue...%26nbsp%3B%20%26nbsp%3B(proceeds%20to%20re-write%20his%20post%20several%20times%20over%20the%20course%20of%20the%20day)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20MFA%20secure%20score%20items%20appear%20to%20be%20looking%20at%20the%20MFA%20state%20of%20sign-on%20allowed%20users.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20recommended%20conditional%20access%20policy%20may%20block%20sign-ons%20where%20MFA%20isn't%20enabled%2C%20or%20prompt%20the%20users%20to%20register%20for%20MFA%2C%20but%20the%20conditional%20access%20policy%20doesn't%20directly%20affect%20the%20score.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22Enabling%20Azure%20Multi-Factor%20Authentication%20through%20a%20Conditional%20Access%20policy%20doesn't%20change%20the%20state%20of%20the%20user.%26nbsp%3B%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOnly%20manually%20setting%20all%20of%20the%20user%20accounts%20to%20MFA%20%22enforced%22%20would%20DIRECTLY%20improve%20this%20score%20item%3F%3F%20...%20(but%20the%20above%20link%20warns%20that%20is%20not%20good%20practice).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20you%20have%20significant%20amounts%20of%20shared%20mailboxes%20or%20other%20user%20accounts%20that%20never%20complete%20the%20MFA%20process%2C%20you%20will%20never%20get%20the%20significant%20score%20improvement%26nbsp%3Bfrom%20setting%20the%20conditional%20access%20policy.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EA%20workaround%20is%20to%20set%20all%20of%20those%20unused%20accounts%20or%20shared%20mailboxes%20to%20%22block%20sign-in%22%20and%20then%20they%20won't%20count%20against%20the%20score.%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Femail%2Fcreate-a-shared-mailbox%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Femail%2Fcreate-a-shared-mailbox%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERecommended%20solution%20for%20the%20secure%20score%3A%20G%3C%2FSPAN%3E%3CSPAN%3Erant%20full%20points%20if%20the%20recommended%20conditional%20access%20policy%20is%20set%2C%20otherwise%20grant%20points%20proportional%20to%20the%20%25%20of%20MFA%20enabled%20users.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have created a conditional access rule for all users + all cloud apps +any location to require MFA but the score hasn't increased in a week.

 

I notice it says "You have 56 out of 183 users registered and protected with MFA." (which was the case before the conditional access policy).  (FYI this is a messy tenant with lots of previous users that have sign-in blocked and lots of users converted to shared mailboxes.

 

Does that mean that the score is actually evaluated on the % of users that complete the MFA registration?  If so, the title of this item is misleading... it should just be called something like % of users registered for MFA and the remediation steps should make clear that creating the policy doesn't guarantee score improvement.

 

please assist,

 

3 Replies
Highlighted

@jfinNZ Hello, I believe you're correct. The complete list contains statuses disabled, enabled and enforced. For example, "You have 13 out of 25 users with administrative roles registered and protected with MFA." The 13 are enforced and the rest either enabled or disabled.

 

"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."

 

Azure Multi-Factor Authentication user states
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-mu... 

Highlighted

@bec064 

 

I think I can articulate the issue...   (proceeds to re-write his post several times over the course of the day)

 

The MFA secure score items appear to be looking at the MFA state of sign-on allowed users.

 

The recommended conditional access policy may block sign-ons where MFA isn't enabled, or prompt the users to register for MFA, but the conditional access policy doesn't directly affect the score.

 

"Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. "

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

 

Only manually setting all of the user accounts to MFA "enforced" would DIRECTLY improve this score item?? ... (but the above link warns that is not good practice).

 

If you have significant amounts of shared mailboxes or other user accounts that never complete the MFA process, you will never get the significant score improvement from setting the conditional access policy.

 

A workaround is to set all of those unused accounts or shared mailboxes to "block sign-in" and then they won't count against the score. see https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwi...

 

Recommended solution for the secure score: Grant full points if the recommended conditional access policy is set, otherwise grant points proportional to the % of MFA enabled users.

Highlighted

@jfinNZ Good input! I actually know that it doesn't change the state, but I thought it only looked at whether the actual registration process is completed or not, if that makes any sense. I have to do some research on this (can't say the Secure Score is within my "comfort zone"!).