Not Certain AAD MFA "Enabled" Actually Completed Registration

Michael O'Hara 1 Reputation point

I have many users who still show as "enabled" in MFA vs. the majority who have "enforced" status.
We do NOT have "Enforce Registration" turned on - so users are not being force-fed this (which is a bummer).

Does it mean the "enabled" users are NOT truly using MFA? As in they haven't completed registration?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,318 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,351 Reputation points Microsoft Employee

    @Michael O'Hara
    Thank you for your post!

    When it comes to the different Azure AD MFA user states (Enabled/Enforced), the table below provides a great depiction of the three states:

    When you enroll users in per-user MFA, their state changes to Enabled. When enabled users sign in, and complete the registration process, their state changes to Enforced.

    Based off the table, if a user in your org is using a browser app, they'll be required to register for MFA after the session expires. Additionally, you can also reference the Azure AD Sing-in Logs and filter for Multifactor authentication.

    Additional Link:
    Authentication Methods Activity - The new authentication methods activity dashboard enables admins to monitor authentication method registration and usage across their organization.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.