Secure score not reflecting MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-2278987%22%20slang%3D%22en-US%22%3ESecure%20score%20not%20reflecting%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2278987%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20a%20few%20users%20with%20MFA%20already%20enabled%2C%20some%20others%20without.%20We%20could%20see%20who%20had%20MFA%20enabled%20from%20the%20Secure%20Score%20recommendations.%20I%20started%20to%20implement%20per-user%20MFA%20(started%20with%20a%20conditional%20access%20policy%20for%20some%20users%2C%20but%20later%20went%20over%20to%20per-user)%20for%20those%20without%20so%20that%20we%20could%20improve%20our%20security%20score.%20I%20saw%20some%20improvements%20in%20the%20score%20(3%20or%204%20days%20ago%20now)%20but%20since%20yesterday%20the%20score%20has%20been%20significantly%20lower.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20under%26nbsp%3B%3C%2FP%3E%3CP%3E%22MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%22%20and%3C%2FP%3E%3CP%3E%22MFA%20should%20be%20enabled%20on%20accounts%20with%20write%20permissions%20on%20your%20subscription%22%3C%2FP%3E%3CP%3Eit%20shows%20that%20none%20of%20the%20users%20have%20MFA%20enabled%2C%20even%20when%20this%20is%20not%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20verified%20that%20MFA%20was%20enabled%20(and%20enforced%20in%20many%20cases)%20for%20those%20users%2C%20but%20this%20was%20not%20reflected%20in%20the%20Secure%20Score.%20(I%20know%20you%20don't%20get%20points%20for%20partially%20fulfilling%20criteria%2C%20I%20am%20talking%20about%20it%20not%20seeing%20ANY%20users%20with%20MFA%20enabled.%20I've%20waited%20a%20few%20days%20for%20the%20score%20to%20update%2C%20but%20saw%20no%20changes.%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20someone%20help%20me%20in%20this%20regard%3F%20We%20use%20the%20secure%20score%20as%20an%20important%20performance%20metric%20and%20this%20really%20has%20a%20large%20impact%20on%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2278987%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Security%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Secure%20Score%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2289920%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20not%20reflecting%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2289920%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1035156%22%20target%3D%22_blank%22%3E%40SecOpsMike%3C%2FA%3E%2C%20thanks%20for%20helping%20out.%3CBR%20%2F%3EWe%20started%20off%20using%20our%20own%20CA%20policy%2C%20but%20then%20had%20to%20use%20the%20per-user%20MFA%20portal%20for%20some%20guest%20accounts.%20Do%20you%20maybe%20know%20how%20we%20can%20solve%20the%20sync%20issue%20with%20the%20Secure%20Score%20service%20if%20that%20is%20the%20problem%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282874%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20not%20reflecting%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282874%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20work%20in%20Security%20and%20Compliance%20at%20Microsoft.%20Did%20you%20enable%20your%20CA%20policies%20through%20an%20Improvement%20Action%20through%20Secure%20Score%3F%20If%20so%2C%20it%20seems%20like%20a%20sync%20issue%20with%20the%20Secure%20Score%20service.%20Talk%20soon!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282246%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20not%20reflecting%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282246%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1031483%22%20target%3D%22_blank%22%3E%40gerdus13%3C%2FA%3E%26nbsp%3BCan%20anyone%20provide%20me%20with%20an%20update%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We had a few users with MFA already enabled, some others without. We could see who had MFA enabled from the Secure Score recommendations. I started to implement per-user MFA (started with a conditional access policy for some users, but later went over to per-user) for those without so that we could improve our security score. I saw some improvements in the score (3 or 4 days ago now) but since yesterday the score has been significantly lower.

 

Now, under 

"MFA should be enabled on accounts with owner permissions on your subscription" and

"MFA should be enabled on accounts with write permissions on your subscription"

it shows that none of the users have MFA enabled, even when this is not the case.

 

I verified that MFA was enabled (and enforced in many cases) for those users, but this was not reflected in the Secure Score. (I know you don't get points for partially fulfilling criteria, I am talking about it not seeing ANY users with MFA enabled. I've waited a few days for the score to update, but saw no changes.

Can someone help me in this regard? We use the secure score as an important performance metric and this really has a large impact on it.

3 Replies

@gerdus13 Can anyone provide me with an update for this?

Hi,

I work in Security and Compliance at Microsoft. Did you enable your CA policies through an Improvement Action through Secure Score? If so, it seems like a sync issue with the Secure Score service. Talk soon!

Hi @SecOpsMike, thanks for helping out.
We started off using our own CA policy, but then had to use the per-user MFA portal for some guest accounts. Do you maybe know how we can solve the sync issue with the Secure Score service if that is the problem?