Apr 26 2020 07:18 PM
When auditing our security score and checking the improvement actions, we can see the "Require MFA for administrative roles" as incomplete.
We opened the improvement action blade and followed the steps listed a while ago but have not seen the status change, we are currently seeing:
Description
Requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data are open to attack.
You have 18 out of 30 admins registered and protected with MFA.
Is there a way to check where the 18/30 is coming from so we can rectify the remaining 22 accounts?
Apr 27 2020 01:50 AM - edited Apr 27 2020 02:00 AM
@EvanTse Hello, this sounds really familiar as it's quite a mess figuring out the Secure score sometimes. You can filter admins from the M365 portal (Users - Active users - Filter) and to view the MFA state of users you can either use the M365 or Azure portal (in the menus under "Users"). This can also be done with PowerShell, but as a best practice it shouldn't be that many admins to manage so the portal should suit one's needs.
I believe the count you're seeing is telling you that 18 are "enforced" and 22 accounts are either "enabled" or "disabled".
"All users start out Disabled. When you enroll users in Azure Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced."
News for Secure score
Azure MFA user states
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Apr 27 2020 02:21 AM
Thanks for the reply @ChristianBergstrom!
The information you provided is great.
To delve deeper into my question, the recommendation is to use conditional access policies to manage MFA. We have followed the recommended set up and are seeing there are some admin accounts not registered.
I have 2 questions:
Apologies for the long reply.
Apr 27 2020 03:26 AM - edited Apr 27 2020 04:49 AM
Solution@EvanTse I highly recommend the MS docs for your questions.
1. Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user.
2. You shouldn't enable or enforce users if you're using Conditional Access policies. As for viewing user status I believe PowerShell is the way to go.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Apr 27 2020 05:08 PM
@ChristianBergstrom Thanks heaps for the extra information!
Apr 27 2020 03:26 AM - edited Apr 27 2020 04:49 AM
Solution@EvanTse I highly recommend the MS docs for your questions.
1. Enabling Azure Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user.
2. You shouldn't enable or enforce users if you're using Conditional Access policies. As for viewing user status I believe PowerShell is the way to go.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates