Skip to Content
IdentityUser DiagnosticsMFA Status Check

MFA Status Check

Check the Multi-Factor Authentication registration and enforcement status for users. This diagnostic tool helps identify users who have not yet registered for MFA, users with incomplete registrations, and users whose MFA methods may need attention.

Overview

The MFA Status Check is part of the User Diagnostics suite. It provides focused analysis of authentication method registration and MFA enforcement across your tenant.

What Gets Checked

Authentication Methods Registered

Review which MFA methods each user has registered:

  • Microsoft Authenticator — Push notification or verification code
  • Phone (SMS/Voice) — SMS text message or voice call
  • FIDO2 Security Key — Hardware security key
  • Email OTP — One-time passcode sent to alternate email
  • Windows Hello for Business — Biometric or PIN

MFA Enforcement Status

  • Enabled — User can use MFA but is not required
  • Enforced — User must complete MFA on every sign-in
  • Disabled — MFA not configured for this user
  • Per-user MFA vs Conditional Access — Indicates which method enforces MFA

Registration Completeness

  • Users with no MFA methods registered
  • Users with only one method (single point of failure)
  • Users who have not completed MFA registration after being enabled
  • Users with outdated phone numbers or methods

Common MFA Issues

User Cannot Complete MFA Challenge

The user has MFA enabled but cannot complete the challenge. Check which methods are registered and whether they are still valid.

Resolution: Verify registered methods. Reset MFA registration if needed via Authentication Methods.

MFA Registration Not Complete

User was required to register for MFA but has not completed setup.

Resolution: Direct user to https://aka.ms/mfasetup  to complete registration. Ensure Conditional Access allows registration from their current context.

Phone Number Changed

User changed their phone number but did not update their MFA registration.

Resolution: Admin can delete the old phone method and ask the user to re-register, or update the phone number directly in Authentication Methods.

API Reference

  • GET /api/identity/users/:id/auth-methods — Get registered authentication methods
  • DELETE /api/identity/users/:id/auth-methods/:methodId — Remove an authentication method
  • POST /api/identity/diagnostics/run — Run diagnostics with MFA focus
Last updated on
ContactsUser Diagnostics