cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

secure score not improving: ensure all users can complete MFA

jfinNZ
Copper Contributor

‎Jun 01 2020 02:26 PM

‎Jun 01 2020 02:26 PM

secure score not improving: ensure all users can complete MFA

I have created a conditional access rule for all users + all cloud apps +any location to require MFA but the score hasn't increased in a week.

 

I notice it says "You have 56 out of 183 users registered and protected with MFA." (which was the case before the conditional access policy).  (FYI this is a messy tenant with lots of previous users that have sign-in blocked and lots of users converted to shared mailboxes.

 

Does that mean that the score is actually evaluated on the % of users that complete the MFA registration?  If so, the title of this item is misleading... it should just be called something like % of users registered for MFA and the remediation steps should make clear that creating the policy doesn't guarantee score improvement.

 

please assist,

 

12.8K Views
0 Likes
3 Replies
Reply
3 Replies
ChristianBergstrom

‎Jun 02 2020 03:04 AM

‎Jun 02 2020 03:04 AM

Re: secure score not improving: ensure all users can complete MFA

@jfinNZ Hello, I believe you're correct. The complete list contains statuses disabled, enabled and enforced. For example, "You have 13 out of 25 users with administrative roles registered and protected with MFA." The 13 are enforced and the rest either enabled or disabled.

 

"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."

 

Azure Multi-Factor Authentication user states
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-mu... 

0 Likes
Reply
jfinNZ

‎Jun 11 2020 02:38 PM - edited ‎Jun 11 2020 04:42 PM

‎Jun 11 2020 02:38 PM - edited ‎Jun 11 2020 04:42 PM

Re: secure score not improving: ensure all users can complete MFA

@ChristianBergstrom 

 

I think I can articulate the issue...   (proceeds to re-write his post several times over the course of the day)

 

The MFA secure score items appear to be looking at the MFA state of sign-on allowed users.

 

The recommended conditional access policy may block sign-ons where MFA isn't enabled, or prompt the users to register for MFA, but the conditional access policy doesn't directly affect the score.

 

"Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. "

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

 

Only manually setting all of the user accounts to MFA "enforced" would DIRECTLY improve this score item?? ... (but the above link warns that is not good practice).

 

If you have significant amounts of shared mailboxes or other user accounts that never complete the MFA process, you will never get the significant score improvement from setting the conditional access policy.

 

A workaround is to set all of those unused accounts or shared mailboxes to "block sign-in" and then they won't count against the score. see https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwi...

 

Recommended solution for the secure score: Grant full points if the recommended conditional access policy is set, otherwise grant points proportional to the % of MFA enabled users.

1 Like
Reply
ChristianBergstrom

‎Jun 11 2020 03:12 PM - edited ‎Jun 11 2020 03:13 PM

‎Jun 11 2020 03:12 PM - edited ‎Jun 11 2020 03:13 PM

Re: secure score not improving: ensure all users can complete MFA

@jfinNZ Good input! I actually know that it doesn't change the state, but I thought it only looked at whether the actual registration process is completed or not, if that makes any sense. I have to do some research on this (can't say the Secure Score is within my "comfort zone"!).

0 Likes
Reply