Skip to main content

Three Ways Microsoft Enforces MFA, One Script to Report on All of Them

Nick Ross2 min read

TL;DR

  • As of July 2021, Microsoft 365 MFA can be enforced through the legacy per-user portal, Conditional Access policies, or Security Defaults, and each reports enrollment differently.
  • MFA enforced by Conditional Access or Security Defaults does not reflect back into the per-user MFA portal, so a protected user can still show as Disabled there.
  • Conditional Access requires an Azure AD Premium P1 license, which is the usual blocker for clients on Business Standard.
  • Security Defaults are on by default in new tenants since late 2019 and must be turned off before any Conditional Access policy can be enabled.
  • A PowerShell script using the Secure Application Model can pull MFA status from every Partner Center customer into per-tenant HTML reports, including third-party custom controls like Duo.

Ask a simple question, "which of our users actually have MFA?", and Microsoft 365 gives you three different answers depending on where you look. Microsoft has moved MFA enforcement into different sections of the product over the years, and as of July 2021 the result is that no single screen tells an admin the whole truth. Below we walk through each enrollment method, where its status actually lives, and a PowerShell script that reports real MFA coverage across every customer tenant you manage through Partner Center.

Where can MFA be enforced, and what does each method report?

The per-user MFA portal (legacy)

Most MSPs probably still use the MFA portal as their primary enforcement method. It offers three states per user: Disabled, Enabled, and Enforced. Enabled gives the user a 14-day grace period to enroll a second factor; Enforced requires setup immediately at next sign-in. We call it legacy because Microsoft has said it intends to deprecate this portal over time, though no official date has been posted as of July 2021. The method works, and it can also be enforced via PowerShell.

Per-user MFA portal showing Disabled, Enabled, and Enforced states

The catch that breaks reporting: if MFA is enabled through Conditional Access policies or Security Defaults, the status does not translate back into this portal. A CA policy can be enforcing MFA, the user can be registered, and the MFA portal will still show that user as Disabled.

Conditional Access policies

Conditional Access policies are if/then statements that grant or block access to corporate resources: if certain conditions are met, then controls apply. CA policies can enforce MFA scoped to specific users or groups, and once a policy is in place, the user is asked to register a second factor the next time the conditions are met. The limitation is licensing: CA requires an Azure AD Premium P1 license, which is usually the blocker for clients on Business Standard.

Conditional Access policy configuration enforcing MFA

Security Defaults

Security Defaults arrived at the end of 2019 and are on by default in all net new tenants. They enforce MFA for all users automatically, with a 14-day grace period, and require the Microsoft Authenticator app. Security Defaults cannot coexist with Conditional Access: if at least one CA policy is enabled, Security Defaults must be turned off.

Security Defaults toggle in Azure AD

How do you report on all three at once?

Three enforcement methods that do not report into one place make MFA documentation a nightmare, so we built a script (opens in new tab) that pulls a report for every customer managed in Partner Center. It connects to client environments using the Secure Application Model (opens in new tab) and generates HTML pages listing, per tenant:

  • MFA enforced through the MFA portal
  • Conditional Access policies
  • Security Defaults (enabled or disabled)
  • Custom controls (for example, Duo)
HTML report output showing MFA status across enforcement methods

Custom controls deserve a note since we did not cover them above: they are part of Conditional Access and let a third party like Duo enforce MFA. Plenty of MSPs run Duo for their customers, so the report includes them.

Run the script periodically rather than once. MFA adoption drifts as users join, licenses change, and policies get edited, and the only honest answer to "are we covered?" is a report generated recently.

Frequently asked questions

Why does a user with MFA show as Disabled in the MFA portal?

The per-user MFA portal only knows about per-user enforcement. If MFA comes from a Conditional Access policy or Security Defaults, the status does not translate back, so the portal can show Disabled for a user who registered through a CA policy.

Can Security Defaults and Conditional Access run together?

No. If at least one Conditional Access policy is enabled, Security Defaults must be turned off. They are mutually exclusive enforcement methods.

What is the difference between Enabled and Enforced in the per-user portal?

Enabled gives the user a 14-day grace period to enroll a second factor. Enforced requires setup immediately at next sign-in.

How does the reporting script authenticate to customer tenants?

Through the Secure Application Model, the Microsoft-recommended app registration pattern for CSP partners, which lets one script iterate every customer in Partner Center without storing admin credentials per tenant.

MFA coverage you can prove, without running scripts

CloudCapsule checks MFA enforcement alongside 250+ other controls in every tenant you manage, about 60 seconds each, and turns the results into reports a client can actually read.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading