SOLVED

Where does "Require MFA for administrative roles" count come from?

%3CLINGO-SUB%20id%3D%22lingo-sub-1339449%22%20slang%3D%22en-US%22%3EWhere%20does%20%22Require%20MFA%20for%20administrative%20roles%22%20count%20come%20from%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339449%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20auditing%20our%20security%20score%20and%20checking%20the%20improvement%20actions%2C%20we%20can%20see%20the%20%22%3CSPAN%3ERequire%20MFA%20for%20administrative%20roles%22%20as%20incomplete.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20opened%20the%20improvement%20action%20blade%20and%20followed%20the%20steps%20listed%20a%20while%20ago%20but%20have%20not%20seen%20the%20status%20change%2C%20we%20are%20currently%20seeing%3A%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EDescription%0ARequiring%20multi-factor%20authentication%20(MFA)%20for%20all%20administrative%20roles%20makes%20it%20harder%20for%20attackers%20to%20access%20accounts.%20Administrative%20roles%20have%20higher%20permissions%20than%20typical%20users.%20If%20any%20of%20those%20accounts%20are%20compromised%2C%20critical%20devices%20and%20data%20are%20open%20to%20attack.%0A%0AYou%20have%2018%20out%20of%2030%20admins%20registered%20and%20protected%20with%20MFA.%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20check%20where%20the%2018%2F30%20is%20coming%20from%20so%20we%20can%20rectify%20the%20remaining%2022%20accounts%3F%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1339875%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20does%20%22Require%20MFA%20for%20administrative%20roles%22%20count%20come%20from%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339875%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F637759%22%20target%3D%22_blank%22%3E%40EvanTse%3C%2FA%3E%26nbsp%3BHello%2C%20this%20sounds%20really%20familiar%20as%20it's%20quite%20a%20mess%20figuring%20out%20the%20Secure%20score%20sometimes.%20You%20can%20filter%20admins%20from%20the%20M365%20portal%20(Users%20-%20Active%20users%20-%20Filter)%20and%20to%20view%20the%20MFA%20state%20of%20users%20you%20can%20either%20use%20the%20M365%20or%20Azure%20portal%20(in%20the%20menus%20under%20%22Users%22).%20This%20can%20also%20be%20done%20with%20PowerShell%2C%20but%20as%20a%20best%20practice%20it%20shouldn't%20be%20that%20many%20admins%20to%20manage%20so%20the%20portal%20should%20suit%20one's%20needs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20believe%20the%20count%20you're%20seeing%20is%20telling%20you%20that%2018%20are%20%22enforced%22%20and%2022%20accounts%20are%20either%20%22enabled%22%20or%20%22disabled%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%22All%20users%20start%20out%26nbsp%3BDisabled.%20When%20you%20enroll%20users%20in%20Azure%20Multi-Factor%20Authentication%2C%20their%20state%20changes%20to%26nbsp%3BEnabled.%20When%20enabled%20users%20sign%20in%20and%20complete%20the%20registration%20process%2C%20their%20state%20changes%20to%26nbsp%3BEnforced.%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENews%20for%20Secure%20score%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fmicrosoft-secure-score%3Fview%3Do365-worldwide%23whats-new%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fmicrosoft-secure-score%3Fview%3Do365-worldwide%23whats-new%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAzure%20MFA%20user%20states%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340068%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20does%20%22Require%20MFA%20for%20administrative%20roles%22%20count%20come%20from%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340068%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F637759%22%20target%3D%22_blank%22%3E%40EvanTse%3C%2FA%3E%26nbsp%3BI%20really%20recommend%20the%20MS%20docs%20for%20your%20questions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3BEnabling%20Azure%20Multi-Factor%20Authentication%20through%20a%20Conditional%20Access%20policy%20doesn't%20change%20the%20state%20of%20the%20user.%3C%2FP%3E%3CP%3E2.%26nbsp%3BYou%20shouldn't%20enable%20or%20enforce%20users%20if%20you're%20using%20Conditional%20Access%20policies.%26nbsp%3BAs%20for%20viewing%20user%20status%20I%20believe%20PowerShell%20is%20the%20way%20to%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1339918%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20does%20%22Require%20MFA%20for%20administrative%20roles%22%20count%20come%20from%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339918%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20information%20you%20provided%20is%20great.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20delve%20deeper%20into%20my%20question%2C%20the%20recommendation%20is%20to%20use%20conditional%20access%20policies%20to%20manage%20MFA.%20We%20have%20followed%20the%20recommended%20set%20up%20and%20are%20seeing%20there%20are%20some%20admin%20accounts%20not%20registered.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%202%20questions%3A%3C%2FP%3E%3COL%3E%3CLI%3EDoes%20conditional%20access%20policies%20update%20the%20Azure%20AD%20MFA%20state%20(from%20my%20testing%20it%20does%20not%20appear%20to%20be%20the%20case)%3COL%3E%3CLI%3EI%20have%20activated%20MFA%20on%20an%20global%20admin%20account%20then%20went%20to%20Azure%20%26gt%3B%20users%20%26gt%3B%20MFA%20and%20found%20that%20the%20account%20states%20MFA%20is%20disabled.%20I%20then%20tried%20to%20log%20in%20with%20an%20incognito%20session%20that%20prompted%20for%20MFA.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EIs%20there%20a%20way%20to%20see%20which%20users%20do%20not%20have%20MFA%20set%20up%20(assuming%20that%20conditional%20access%20policies%20don't%20actually%20update%20the%20MFA%20dashboard%20in%20Azure).%3COL%3E%3CLI%3EIf%20this%20is%20the%20case%2C%20then%20would%20the%20recommendation%20be%20to%20go%20to%20the%20MFA%20dashboard%20in%20Azure%20and%20then%20manually%20set%20the%20MFA%20state%20to%20enforced%20for%20admin%20accounts%3COL%3E%3CLI%3EAND%20if%20we%20do%20this%2C%20then%20will%20there%20be%20adverse%20affects%20with%20the%20Azure%20enforcement%20and%20conditional%20access%20policy%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApologies%20for%20the%20long%20reply.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

When auditing our security score and checking the improvement actions, we can see the "Require MFA for administrative roles" as incomplete.

 

We opened the improvement action blade and followed the steps listed a while ago but have not seen the status change, we are currently seeing:

 

 

Description
Requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data are open to attack.

You have 18 out of 30 admins registered and protected with MFA.

 

 

Is there a way to check where the 18/30 is coming from so we can rectify the remaining 22 accounts?

 

 

 

4 Replies

@EvanTse Hello, this sounds really familiar as it's quite a mess figuring out the Secure score sometimes. You can filter admins from the M365 portal (Users - Active users - Filter) and to view the MFA state of users you can either use the M365 or Azure portal (in the menus under "Users"). This can also be done with PowerShell, but as a best practice it shouldn't be that many admins to manage so the portal should suit one's needs.

 

I believe the count you're seeing is telling you that 18 are "enforced" and 22 accounts are either "enabled" or "disabled".

 

"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."

 

News for Secure score 

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwi...

 

Azure MFA user states

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

 

Thanks for the reply @ChristianBergstrom!

 

The information you provided is great.

 

To delve deeper into my question, the recommendation is to use conditional access policies to manage MFA. We have followed the recommended set up and are seeing there are some admin accounts not registered.

 

I have 2 questions:

  1. Does conditional access policies update the Azure AD MFA state (from my testing it does not appear to be the case)
    1. I have activated MFA on an global admin account then went to Azure > users > MFA and found that the account states MFA is disabled. I then tried to log in with an incognito session that prompted for MFA.
  2. Is there a way to see which users do not have MFA set up (assuming that conditional access policies don't actually update the MFA dashboard in Azure).
    1. If this is the case, then would the recommendation be to go to the MFA dashboard in Azure and then manually set the MFA state to enforced for admin accounts
      1. AND if we do this, then will there be adverse affects with the Azure enforcement and conditional access policy

 

Apologies for the long reply.

best response confirmed by EvanTse (New Contributor)
Solution

@EvanTse I highly recommend the MS docs for your questions.

 

1. Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user.

2. You shouldn't enable or enforce users if you're using Conditional Access policies. As for viewing user status I believe PowerShell is the way to go.

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

 

 

@ChristianBergstrom Thanks heaps for the extra information!