Per User MFA List not accurate

Question

Per User MFA List not accurate

Benjamin Kanter 20

I am logged in as an admin account ([******@placeholder.com]) on Azure Active Directory. I need to figure out who has multifactor authentication and who does not.
I go to Users > Per-User MFA, and it brings me to a list of who we have enabled 2FA for and who we have not.
The user I am logged in as (The admin account) had me send a text message to my phone number, which would indicate 2FA to me, but shows as disabled in the Per User MFA list.
I can directly click on each user individually and view their authentication method. Many users who showed up as disabled had an SMS 2FA set up, similar to how my admin account worked. I am trying to figure out why it sometimes will show as "enforced" when there is seemingly nothing to distinguish an "enforced" 2FA user and a disabled one. The enforced users seem to always have a 2FA phone number. Many disabled users have a 2FA phone number set up. Some of them do not. I cannot find the difference.

Anyone able to point me in the correct direction? Thanks

Edit:
I now found an example of a user that was marked as "enforced" but had no authentication contact information in place.
I am having trouble finding a reliable means of finding out who has 2FA and who does not.

Marilee Turscak-MSFT 37,276 Reputation points Microsoft Employee Moderator

2023-06-28T18:55:01.03+00:00

Hi @Benjamin Kanter ,

Just checking to see if you were able to get the information you were looking for? Feel free to reach out at the email I left if you need someone to look into the "Enforced" issue.

Answer accepted by question author

0 additional answers

Your answer

Marilee Turscak-MSFT 37,276 Reputation points Microsoft Employee Moderator

2023-06-28T18:55:01.03+00:00

Hi @Benjamin Kanter ,

Just checking to see if you were able to get the information you were looking for? Feel free to reach out at the email I left if you need someone to look into the "Enforced" issue.

Answer 1

Marilee Turscak-MSFT 37,276 Microsoft Employee Moderator

Hi @Benjamin Kanter ,

Thanks for your post! The "disabled" status in the per-user settings does not actually mean that the MFA is disabled at all. Disabled just means not per-user MFA. So if the MFA is enforced via Conditional Access policies or Security Defaults, the MFA prompt would still trigger.

User's image

Per-user MFA shouldn't be used together with Security Defaults or Conditional Access, and the status should be set to "disabled" if you are using those together.

Reference: Disabled MFA Status and Convert users from per-user to Conditional Access MFA

If the information helped resolve your question, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching the same question.

Benjamin Kanter 20 Reputation points

2023-06-27T12:25:37.5433333+00:00

Then how is it that some our users that had the per user MFA enforced not have authentication contact information in the directory? The answer you gave makes sense, that is just one thing I do not understand.

One more question too. Since I cannot use that page to see who has MFA, what would be an effective method of double checking who and who does not have it?

Thanks!
Benjamin Kanter 20 Reputation points

2023-06-27T12:31:37.4666667+00:00

Couple additional clarifications.
How is it that some users who have Per User MFA enforced do not have authentication contact details in the Azure Active Directory?
And since I cannot use the Per User MFA page to see who does and does not have MFA, what is the most effective method to find out who does and does not have it?

Thanks
Marilee Turscak-MSFT 37,276 Reputation points Microsoft Employee Moderator

2023-06-28T00:32:22.0266667+00:00

You can use Microsoft Graph to query the number of users who are capable of MFA:

https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=isMfaRegistered eq true

There is no concrete concept of being enabled for MFA (other than the per user MFA status being set to "Enabled" / "Enforced").

For the authentication contact details, sometimes it takes extra time for the information to populate if it was recently added. Were they set up by aka.ms/sspr?

If the methods were successfully added, you should be able to list them via Microsoft Graph: GET https://graph.microsoft.com/beta/users/******@wingtiptoysonline.com/authentication/methods

If you check the sign-in logs for those users, you will also be able to see if they already completed MFA requirements while logging in.

If they still don't show up, feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a like to this thread, and I can get a support case opened to look into this for you.
Benjamin Kanter 20 Reputation points

2023-06-30T12:59:49+00:00

Thank you! I appreciated the help!

Share via

Per User MFA List not accurate

0 additional answers

Your answer