SOLVED

Secure score and MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-136887%22%20slang%3D%22en-US%22%3ESecure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136887%22%20slang%3D%22en-US%22%3E%3CP%3EMFA%20is%20enabled%20via%20Azure%20AD%20conditional%20access%20policies%2C%20but%20it%20seems%20like%20secure%20score%20is%20not%20recognizing%20that%20MFA%20is%20enabled%20via%20Azure%20AD%20conditional%20access%20policies%20and%20still%20indicates%20that%20MFA%20is%20not%20enabled%20and%20the%20update%20page%20in%20secure%20score%20takes%20you%20to%20the%20O365%20portal%20to%20enable%20MFA%20for%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-312396%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-312396%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20update%20to%20Conditional%20Access%20being%20reflected%20in%20Secure%20Score.%26nbsp%3B%20I%20have%20several%20of%20my%20clients%20asking%20about%20this%20now%20as%20that%20the%20direction%20is%20to%20use%20Conditional%20Access%20over%20manually%20enabling%20MFA%20now.%26nbsp%3B%20This%20issue%20has%20been%20recognized%20for%20a%20year%20now%20and%20I%20am%20looking%20for%20updates%20to%20provide%20our%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-201524%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201524%22%20slang%3D%22en-US%22%3E%3CP%3EI%20enabled%20MFA%20for%20all%20my%20users%20in%20the%20O365%20Admin%20center%20four%20days%20ago%20and%20still%20haven't%20gotten%20the%20score%20for%20doing%20so.%20Half%20of%20my%20users%20have%20not%20logged%20in%20yet%2C%20so%20their%20status%20is%20still%20Enabled%20and%20not%20Enforced.%20I%20am%20not%20sure%20if%20they%20have%20to%20be%20Enforced%20for%20Secure%20Score%20to%20recognize%20it%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185254%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Philip%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConditional%20access%20support%20for%20MFA%20is%20on%20our%20backlog%20of%20items%20we%20are%20looking%20into.%26nbsp%3B%20I%20don't%20have%20any%20dates%20to%20share%20on%20this%20yet%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181721%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181721%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20anything%20like%20a%20roadmap%20item%20or%20something%20similar.%20It%20kind%20of%20messes%20up%20the%20whole%20%22gamification%22%20aspect%2C%20that%20this%20essential%20control%20doesn't%20score%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143079%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143079%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20confirmation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142824%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142824%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Lavanya%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20this%20point%20Secure%20Score%20does%20not%20support%20conditional%20access%20scenarios%20for%20MFA.%26nbsp%3B%20I%20have%20asked%20the%20team%20to%20add%20this%20to%20the%20backlog%20of%20controls%20we%20should%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20for%20the%20delay%20in%20getting%20back%20to%20you.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141288%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141288%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20anyone%20confirm%20if%20this%20is%20an%20issue%20with%20Secure%20score%20and%20if%20this%20will%20be%20fixed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-469997%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-469997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8188%22%20target%3D%22_blank%22%3E%40Lavanya%20Murthy%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20open%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-829950%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-829950%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20news%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51275%22%20target%3D%22_blank%22%3E%40Anthony%20Smith%20(A.J.)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20secure%20score%20is%20lacking%20many%20points%2C%20due%20to%20conditional%20access%20mfa%20is%20NOT%20recognized%20in%20Secure%20Score.%20please%20fix%20asap%20!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-873256%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-873256%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20news%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51275%22%20target%3D%22_blank%22%3E%40Anthony%20Smith%20(A.J.)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

MFA is enabled via Azure AD conditional access policies, but it seems like secure score is not recognizing that MFA is enabled via Azure AD conditional access policies and still indicates that MFA is not enabled and the update page in secure score takes you to the O365 portal to enable MFA for users.

10 Replies

Can anyone confirm if this is an issue with Secure score and if this will be fixed?

Hi Lavanya,

 

At this point Secure Score does not support conditional access scenarios for MFA.  I have asked the team to add this to the backlog of controls we should support.

 

Sorry for the delay in getting back to you. 

best response confirmed by LM (Contributor)
Solution

Thanks for the confirmation.

Is there anything like a roadmap item or something similar. It kind of messes up the whole "gamification" aspect, that this essential control doesn't score :) 

Hi Philip,

 

Conditional access support for MFA is on our backlog of items we are looking into.  I don't have any dates to share on this yet though.

I enabled MFA for all my users in the O365 Admin center four days ago and still haven't gotten the score for doing so. Half of my users have not logged in yet, so their status is still Enabled and not Enforced. I am not sure if they have to be Enforced for Secure Score to recognize it? 

Any update to Conditional Access being reflected in Secure Score.  I have several of my clients asking about this now as that the direction is to use Conditional Access over manually enabling MFA now.  This issue has been recognized for a year now and I am looking for updates to provide our clients.

 

Thanks,

@LM 

 

Still open issue.

Any news on this @Anthony Smith (A.J.) 

Our secure score is lacking many points, due to conditional access mfa is NOT recognized in Secure Score. please fix asap !!

Hello @Anthony Smith (A.J.), is there an update on this?  We are a Microsoft Partner and CSP.  There was a new requirement that came into effect Sept. 1st for all MPN Members to have MFA enabled across their tenant and CSP customers.  We are now getting reports from Microsoft that tell us we are not in compliance with this new ruling even though we have MFA enabled for all of our clients in our tenant.  Upon looking into it further, when we look in our customer's tenants in the AAD where we have some guest accounts to manage the client's Azure environment, their Azure Secure Score is reporting that our guest accounts do not have MFA enabled, but they do in our tenant.  Is there a resolution for this as it sounds like it's related to the conditional access MFA mentioned in this thread.  Thank you.