MFA showing enabled for users

Question

when we setup user for MFA, we typically set them to Enabled under MFA, then send them the info on completing the process.
however, when they finish, they still show as Enabled instead of Enforced.

if we set them to Enforced initially, wouldn't that prevent them from checking email until they finish registration?

we usually have assist users in completing the process, and typically it has to be when there is a lull in their day, so doing enforced first works best for us, but not if we cannot tell when they completed setup.

Answer 1

I would highly recommend that rather than setting the MFA per user, you create a Conditional Access policy (or enable the security defaults if you can)

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

But for your specific question:

Enforced The user is enrolled per-user in Azure Multi-Factor Authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state.

So , in other words, you can set to Enforced and they should still be able to register per user before they can do anything else. Isnt that what you want?
If not, then you will need to set to enabled and then force them to use MFA in some other way ( See Conditional Access)

I would suggest simply telling them they need to register first and enforce that.

Answer 2

one more question then...

I have several users who have registered with MFA, and had to put in a code when setup, but when I view MFA they show as enabled, not enforced.

shouldnt they be showing as enforced now?