Overview

MultiFactor Authentication Status

The Multifactor Authentication Status alert is triggered when one of the users inside your tenancy does not have Multi Factor Authentication (MFA) setup, and/or we cannot see a method of enforcement (such as Administratively, Security Defaults, or with a Conditional Access Policy).

Banner Image 2 1

Multifactor Authentication Status

  • Understand your status
  • Monitor for changes
  • Ensure enforcement
  • Protect user accounts
  • Be proactive
Administrative Access and Accounts

Impact

Real world impact

Problems Faced

After much work getting everyone on-board, a recent manual review (only last month!) showed that everyone had MFA setup and operational.  Larry, a senior partner in the firm is travelling overseas next month and didn’t want any interruption to his email in case he misplaces his phone (which holds the MFA keys), so he disabled MFA just before departure.

Larry doesn’t have roaming data, so utilises a wifi point at the first airport he stops at.  He fails to login successfully at the airport, however once he arrives in his hotel he is able to check his email and thinks no more of it.

What Larry doesn’t realise is that his login at the airport was reloaded to a fake login page, upon which is username and password were stolen.  Malicious attackers now have uncontrolled access to Larry’s account.

Solution

It is important that any user accounts that are missing MFA are identified and rectified as a priority.   Whilst all your accounts may have MFA at the moment,  it is easy for a temporary disablement of MFA for a user to become permanent. The disabled account can easily be and forgotten about, only to be remembered potentially months or years later when the account is compromised.

Checking that each one of your user accounts has MFA setup and enforced on a daily basis is time consuming, and impractical.  It is not reasonable to expect an Administrator to undertake this task on a daily basis.  CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.

Prevention

What are the main questions you should consider when working out how to manage this risk?

  • Do you have a system or solution in place to detect user accounts that do not have Multi Factor Authentication setup and enforced?
  • If a user account was to remove MFA, would you find out?
  • How long do you think it would take you to discover that you don’t have 100% MFA coverage?
  • Have you ever checked for accounts missing MFA?
  • What would the impact be on your organisation if a user account was compromised for an extended period of time without detection (due to lack of MFA enforcement)?

Problems Faced

After much work getting everyone on-board, a recent manual review (only last month!) showed that everyone had MFA setup and operational.  Larry, a senior partner in the firm is travelling overseas next month and didn’t want any interruption to his email in case he misplaces his phone (which holds the MFA keys), so he disabled MFA just before departure.

Larry doesn’t have roaming data, so utilises a wifi point at the first airport he stops at.  He fails to login successfully at the airport, however once he arrives in his hotel he is able to check his email and thinks no more of it.

What Larry doesn’t realise is that his login at the airport was reloaded to a fake login page, upon which is username and password were stolen.  Malicious attackers now have uncontrolled access to Larry’s account.

Solution

It is important that any user accounts that are missing MFA are identified and rectified as a priority.   Whilst all your accounts may have MFA at the moment,  it is easy for a temporary disablement of MFA for a user to become permanent. The disabled account can easily be and forgotten about, only to be remembered potentially months or years later when the account is compromised.

Checking that each one of your user accounts has MFA setup and enforced on a daily basis is time consuming, and impractical.  It is not reasonable to expect an Administrator to undertake this task on a daily basis.  CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.

Prevention

What are the main questions you should consider when working out how to manage this risk?

  • Do you have a system or solution in place to detect user accounts that do not have Multi Factor Authentication setup and enforced?
  • If a user account was to remove MFA, would you find out?
  • How long do you think it would take you to discover that you don’t have 100% MFA coverage?
  • Have you ever checked for accounts missing MFA?
  • What would the impact be on your organisation if a user account was compromised for an extended period of time without detection (due to lack of MFA enforcement)?

More

Blog

How to Set Up an App Protection Policy in Office 365 for Maximum Security

Setting Up Office 365 SMTP Relay: A Guide for Secure Email Communication

Understanding Office 365 Autodiscover: How It Works and How to Secure It

What Is an M365 Tenant and Why Does It Matter for Your Security?

Group Mailbox vs. Shared Mailbox in Office 365: Which One Is Right for You?

Mastering PowerShell Function Parameters for Streamlined Office 365 Management

Using PowerShell Try-Catch for Error Handling in Office 365 Administration

Effective Office 365 Incident Response: Steps for a Quick and Safe Recovery

Azure Active Directory in Microsoft 365: Setting Up and Enhancing Security

How to Enable End-to-End Encryption for Microsoft Teams Meetings?

CatchBefore it is too late!

Your data is actively being targeted. Safeguard your information with proactive measures.

Book a Demo
Contact Us