Why Are Some Users Showing as Missing MFA When MFA Is Enabled?

Why Are Some Users Showing as Missing MFA When MFA Is Enabled?

Cloud Capsule evaluates MFA protection across all active users in your Microsoft Entra ID tenant. Users who appear to have MFA configured may still be flagged if both required conditions are not fully met. This article explains how the detection works, what can cause unexpected results, and how to investigate.

---

How Cloud Capsule Determines MFA Protection

A user is considered MFA protected only when both of the following conditions are true:

1. An MFA policy is actively enforcing MFA on their account, via one of:

• Security Defaults — Microsoft's baseline protection is enabled for the entire tenant
• Conditional Access — An enabled policy requires MFA for all applications and covers the user directly, via group membership, or via an assigned directory role
• Per-User MFA — MFA has been set to Enforced directly on the user's account in the legacy per-user MFA portal

2. The user has registered at least one MFA method, such as:

• Microsoft Authenticator app
• Phone (SMS or voice call)
• FIDO2 security key
• Windows Hello for Business
• Software OATH token

Both conditions must be met. A user who is covered by a policy but has never completed MFA registration is still treated as unprotected.

---

Who Is Excluded from This Metric

The following account types are intentionally excluded regardless of MFA status:

Account Type	Reason
Disabled accounts	Inactive accounts cannot be used to sign in
Guest accounts	External identities managed by their home tenant
Shared mailboxes	Non-interactive accounts not used for user sign-in
Break Glass accounts	Emergency access accounts are excluded by design
Accounts with ignored roles	Service or automation roles marked as exempt
Manually overridden accounts	Accounts an administrator has explicitly excluded in Cloud Capsule

---

Common Reasons a User Is Flagged Unexpectedly

A Conditional Access policy is bypassing MFA enforcement Even if one CA policy enforces MFA, a separate CA policy may exist that excludes certain users from MFA registration or enforcement entirely. If a user falls under that bypassing policy, Cloud Capsule will flag them as unprotected. Having MFA registered does not prevent this flag if a CA policy removes the enforcement requirement for that user.

The user is excluded from all MFA-enforcing CA policies A user excluded from every CA policy that enforces MFA is treated as unprotected. Policy coverage, not method registration, is what Cloud Capsule evaluates first.

The user has not completed MFA registration A user covered by a policy but with no registered MFA methods will still be flagged. Enforcement cannot occur without a registered method. Check the MFA Registered column in the Users Without MFA table to identify these accounts.

Per-user MFA is set to Enabled, not Enforced Cloud Capsule only recognizes the Enforced state for per-user MFA. Accounts set to Enabled (but not Enforced) are not considered protected.

---

Where the Data Comes From

Cloud Capsule pulls the following from your Microsoft tenant during each assessment:

• Microsoft Entra user accounts — account status, user type, and assigned licenses
• MFA registration status — sourced from the Entra ID Authentication Methods registration report, which requires a Microsoft Entra ID P1 or P2 license. If this report is unavailable, Cloud Capsule falls back to checking each user's registered authentication methods individually
• Security Defaults — whether Microsoft's baseline security policy is enabled for the tenant
• Conditional Access policies — all policies are reviewed to determine whether MFA is required for each user across all cloud applications
• Per-User MFA state — the legacy per-user MFA enforcement setting, checked only for users not already covered by Security Defaults or Conditional Access

---

Steps to Investigate

Step 1: Review the Users Without MFA list

1. Go to Tenants and select the affected tenant.
2. Navigate to the Users tab.
3. Select Users Without MFA.
4. Review the MFA Registered and Covered by Conditional Access columns for each flagged user.

Step 2: Check for Conditional Access policies that bypass MFA

1. In the tenant view, navigate to the Policies tab.
2. Select Conditional Access Policies and review all active policies.
3. Look for any policy that grants access without requiring MFA, or that explicitly excludes MFA registration. These can silently override an enforcing policy for affected users.

Step 3: Review policy exclusions

1. In the Policies tab, select Users Excluded from MFA Enforced Policies.
2. Check whether the flagged users appear here and confirm whether those exclusions are intentional.

Step 4: Verify MFA method registration

1. In the Users tab, select User Authentication Methods.
2. Confirm whether flagged users have at least one MFA method registered in Entra ID.

Step 5: Refresh the tenant assessment If you recently made changes to MFA or CA policies, the assessment may be showing stale data.

1. In the tenant view, click Refresh in the top-right toolbar.
2. Wait for the assessment to complete, then recheck the Users Without MFA list.

---

Status Reference

Result	Status
0 users without MFA	Good
1 or more users without MFA	Danger

There is no partial credit. Any unprotected active user account is treated as a high-priority risk.

---

When to Contact Support

If you have completed the steps above and users are still appearing incorrectly, please contact support with the following information:

• The name or UPN of one or more affected users
• How MFA is configured for those users (Security Defaults, Conditional Access, per-user MFA, or a combination)
• Whether any CA policies may be bypassing MFA enforcement for those users
• Whether the issue affects all tenants or a specific one

Email: support@cloudcapsule.io In-app: Navigate to Support and open a new ticket.