MFA stuck on Enforced

Question

Looking for ideas as to why some users are Enforced and some are Enabled.

We turned on MFA for our Office 365 apps. Some users show Enforced and some show Enabled. I have read the descriptions of each. I have users who have definitely completed the registration, but they still show Enabled, not Enforced.

If Enabled is indicating the user has not completed the registration -- how do you determine what steps of the registration are missing? On the "Additional Security Verification" page, their registration appears to be complete. They have the authenticator app downloaded and they have registered their device.

Answer 1

Hi @jfgriff-1153 ,

Is there any chance that some of those users completed the registration either before the MFA was enabled or before it was re-enabled? If MFA is re-enabled on a user object that already has registration details, such as phone or email, then administrators need to have that user re-register MFA via Azure portal or PowerShell. If the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI.

If this is the case, the status will change to Enforced if they register again.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Answer 2

thank you for your answer.

That is exactly what happened. We allowed them to setup them MFA and then Enabled. Timing is hard if we turn on MFA first.

It seems to be working okay.

Are there any negative consequences if they stay on Enabled?