MFA Status
Monitor multi-factor authentication enrollment and usage across all users. Track MFA adoption rates, identify gaps, and take action on non-compliant accounts.
Warning: MFA is the single most effective control against credential-based attacks. Microsoft data shows MFA blocks 99.9% of account compromise attacks. Target 100% MFA enrollment for all users.
Dashboard Metrics
- 85% — MFA Enabled
- 10% — Registered Only
- 5% — Not Registered
- 0 — Excluded
User MFA States
| State | Description | Action Required |
|---|---|---|
| Enabled | User has registered MFA methods and is required to use MFA | None |
| Enforced | MFA is enforced via Conditional Access or Security Defaults | None |
| Registered | User has MFA methods but policy doesn’t require MFA | Enable MFA requirement |
| Not Registered | No MFA methods registered | User must register MFA |
| Excluded | User excluded from MFA via Conditional Access policy | Review exclusion |
Authentication Methods
Users can register multiple MFA methods:
Microsoft Authenticator
Push notifications or TOTP codes. Supports passwordless sign-in. Recommended as primary method.
Phone (SMS/Voice)
Verification codes via SMS or voice call. Less secure than authenticator apps due to SIM swap risks.
FIDO2 Security Key
Hardware security keys (YubiKey, etc.). Most secure option. Supports passwordless authentication.
Windows Hello
Biometric or PIN authentication on Windows devices. Passwordless, device-bound credential.
Email (OTP)
One-time codes via email. Only for self-service password reset, not recommended for MFA.
Third-Party TOTP
Any OATH-TOTP compatible app (Google Authenticator, Authy, etc.)
User List
The user table shows:
| Column | Description |
|---|---|
| User | Display name and UPN |
| MFA Status | Enabled, Enforced, Registered, Not Registered |
| Methods | Icons for each registered method type |
| Default Method | Primary authentication method |
| Last MFA | When user last completed MFA challenge |
| Admin | Whether user has admin roles (priority for MFA) |
Actions
- Reset MFA — Clear all registered methods, force re-registration
- Enable Per-User MFA — Enable legacy per-user MFA (not recommended)
- View Methods — See all registered methods for a user
- Delete Method — Remove a specific authentication method
- Send Registration Nudge — Email user with registration instructions
Graph API Endpoints
GET /reports/authenticationMethods/userRegistrationDetailsGET /users/{id}/authentication/methodsDELETE /users/{id}/authentication/methods/{methodId}GET /reports/credentialUserRegistrationDetails
Best Practices
- Use Conditional Access instead of per-user MFA for flexibility
- Require MFA for all users, especially admins
- Prefer Authenticator app or FIDO2 over SMS
- Require multiple methods for redundancy
- Review MFA-excluded users monthly
- Enable number matching to prevent MFA fatigue attacks