Forum Discussion
secure score not improving: ensure all users can complete MFA
I have created a conditional access rule for all users + all cloud apps +any location to require MFA but the score hasn't increased in a week.
I notice it says "You have 56 out of 183 users registered and protected with MFA." (which was the case before the conditional access policy). (FYI this is a messy tenant with lots of previous users that have sign-in blocked and lots of users converted to shared mailboxes.
Does that mean that the score is actually evaluated on the % of users that complete the MFA registration? If so, the title of this item is misleading... it should just be called something like % of users registered for MFA and the remediation steps should make clear that creating the policy doesn't guarantee score improvement.
please assist,
4 Replies
jfinNZ Hello, I believe you're correct. The complete list contains statuses disabled, enabled and enforced. For example, "You have 13 out of 25 users with administrative roles registered and protected with MFA." The 13 are enforced and the rest either enabled or disabled.
"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."
Azure Multi-Factor Authentication user states
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-multi-factor-authentication-user-statesI think I can articulate the issue... (proceeds to re-write his post several times over the course of the day)
The MFA secure score items appear to be looking at the MFA state of sign-on allowed users.
The recommended conditional access policy may block sign-ons where MFA isn't enabled, or prompt the users to register for MFA, but the conditional access policy doesn't directly affect the score.
"Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. "
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Only manually setting all of the user accounts to MFA "enforced" would DIRECTLY improve this score item?? ... (but the above link warns that is not good practice).
If you have significant amounts of shared mailboxes or other user accounts that never complete the MFA process, you will never get the significant score improvement from setting the conditional access policy.
A workaround is to set all of those unused accounts or shared mailboxes to "block sign-in" and then they won't count against the score. see https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide
Recommended solution for the secure score: Grant full points if the recommended conditional access policy is set, otherwise grant points proportional to the % of MFA enabled users.
If you have any Multi-function printers that send scans by email, or shared mailboxes accessed via external apps, it is almost certain that they cannot use MFA.
MFA is not the only way to secure accounts like this, but the Identity Security score doesn't allow for anything else. Of course it is a guide, but also a waste of time if there are recommendations that are impossible to follow, which ultimately means many people will end up ignoring all the recommendations.
