Last Updated On:
- July 11, 2024
Understanding Office 365 Multi-Factor Authentication Enabled vs. Enforced
One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multi-factor authentication (MFA). Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray. Enabling MFA ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems where they could cause serious financial and operational damage.
Microsoft 365 and Office 365 both support basic MFA features at no extra cost, with upgraded features available for purchase. Depending on your organizational needs, there are a few different ways you can enable a user for MFA. Whether through manual configuration, security defaults, or Conditional Access policies, multi-factor authentication can be configured using the Azure portal.
To learn more about managing Active Directory with native and third-party tools, read our Active Directory Management Tools guide.
What’s the Difference Between MFA Enabled and Enforced?
Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled.
MFA Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.
MFA Disabled: This is the default state for a new user that has not been enrolled in MFA.
Keep in mind, regarding the enforced MFA user status, some older non-browser apps, like Office 2010 or earlier, modern authentication protocols won’t work. In order to enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.
To learn more about multi-factor authentication, read our blog discussing the differences between Microsoft user-based MFA and Azure MFA.
Understanding Methods to Enable Office 365 Multi-Factor Authentication
Multi-factor authentication can be enabled in Azure AD/Entra ID in a few different ways depending on the scenario and the type of Microsoft 365 license you currently have.
Enable MFA by Changing User States
Enable MFA with Security Defaults
Enable MFA with a Conditional Access Policy
All the methods listed above prompt users to register for Azure multi-factor authentication the first time they sign in after the requirements turn on. After users complete the multi-factor authentication registration, they will only be prompted for another authentication, when necessary, primarily when using a new device or application or completing critical tasks. For more information on Azure AD multi-factor authentication, see documentation from Microsoft.
Latest Updates to MFA in Microsoft 365
- Security defaults: Microsoft has been making security defaults available to all license subscriptions, which includes enabling MFA for all admin and user accounts. This is a significant step forward in making MFA the default security posture for Microsoft 365 organizations.
- Cloud MFA: Microsoft has introduced new cloud-based MFA options that offer improved security and manageability. These options include Azure Active Directory Multi-Factor Authentication (MFA) and Microsoft Authenticator app.
- End of Azure MFA Server: Beginning September 30, 2024, Azure MFA Server deployments will no longer service MFA requests. Organizations should migrate their users to the cloud-based Azure MFA service before this date to avoid disruptions. You can learn more about it in this update from Microsoft.
To learn more about increasing security in your Microsoft environments, check out our webinar, “Modernize AD Management: How Security & Efficiency Intertwine.”
Viewing Multi-Factor Authentication User States
How to Manually Check MFA User States in the Azure Portal
- After signing in to the Azure/Entra ID portal, “Microsoft Entra ID” from the main menu
- On the left navigation, select “Users”, then “All Users”
- On the top navigation, click “Per-user MFA”
- A new page will open that displays the username and MFA user status
How to Create a Report of Users and Their MFA Status in Cayosoft Administrator
With Cayosoft Administrator, you are able to create the below report once, then get it delivered on a schedule, like weekly or monthly.
- From the Cayosoft Administrator console, click “New Rule”
- Click “Show All Templates”
- Type “MFA” into the search bar to show relevant rules
- Create the rule “Microsoft 365 Users Authentication Methods (MFA) Status”
- For rule output, select the desired output such as “Send as E-mail with Attached Report”
- Click “Finish”, verify the output, then click “Run Rule”
Want to Secure Your Active Directory?
Learn more about Cayosoft Administrator, our unified solution for securing and managing all your Microsoft Directories, or schedule a personalized demo to see how Cayosoft can help improve your security and IT efficiency!
FAQs
We have some users who don't have devices that can easily receive MFA codes. Can I enable MFA if those users can't use a traditional authenticator app?
Yes! Microsoft MFA supports a variety of authentication methods besides app-based codes, including:
- Phone Call: The user can receive an automated call that prompts them to verify their identity by pressing a key.
- SMS Text Message: An SMS code is sent to the user’s registered mobile number.
- Hardware Tokens: These physical devices generate time-based codes for authentication.
Consider using these alternative methods for users without compatible smartphones.
Our employees find MFA prompts disruptive. How can we minimize the number of MFA challenges a user receives while still maintaining security?
Here are a few strategies to strike a better balance:
- Risk-Based MFA: If you have Azure AD Premium P2, leverage risk-based Conditional Access. This analyzes login behavior patterns to reduce prompts for trusted scenarios.
- Remember Trusted Devices: Many MFA providers allow users to select “Remember this device” options for a set period, reducing verification frequency on recognized devices.
- Alternative MFA Methods: Consider less intrusive verification methods like Windows Hello for Business, which uses biometric or PIN-based authentication options.