365 MultiFactor Authentication Status

Alert title: “MultiFactor Authentication Status”

Description: Alerts if a user is detected as being enabled in the system, and not having multi-factor authentication administratively enforced (either by site-wide “SecurityDefaults” being enabled, or on a user-by-user administratively enforced basis, via a conditional access policy that has MFA mentioned).  It will also alert if the user has not setup MFA yet.

Options:

• It is possible to ignore specific users
• It is possible to delay the alert triggering (for new users) by a number of days
• It is possible to delay the alert triggering (for new users that have never logged in) by a number of days

The problem: This alert is triggered if an enabled user is detected as not having MFA enabled, not having MFA setup (even if enabled), and will also alert if MFA is not enforced (even if enabled).

Impact: Any users that can login should have MFA enabled, setup, and enforced.  If they do not then the account (and the data it can access, as well as configuration control) is at a higher risk of access by an un-authorised party.

Suggested steps: Engage a technician to confirm that the alert is accurate.   Take steps to ensure that MFA is enabled, setup, and enforced.