How to report the MFA Status for users in Microsoft Entra ID

Major phishing attacks and exploits that target Microsoft 365 users are on the rise. Most of these attacks rely on getting hold of users' credentials to gain access to their accounts. Microsoft Entra ID allows users in Microsoft 365 to set up MFA for their accounts with Microsoft Entra MFA to prevent attacks like this that arise from only using a single authentication factor. You can also check the implementation of MFA across your tenant in Microsoft Entra ID.

Why do I need to track the MFA status of users in Microsoft Entra ID?

Configuring MFA is a crucial security precaution for your organization, and making sure that your users are secured with MFA is even more crucial. By tracking the adoption of MFA across your organization, you can ensure that your users are at a lower risk of being vulnerable to unauthorized access attempts. Also, you can get an idea of which authentication method is preferred by your users so that you can promote other methods to ensure that there is no single authenticator for the attackers to exploit. By getting the insights on which users do not have MFA enabled, you will be able to encourage or enforce them to set up MFA for their account without having to check the details of every user individually.

How to generate a report on MFA status of users in Microsoft Entra ID and M365 Manager Plus

Microsoft Entra ID can help generate a report on the MFA methods used by individual users in your Microsoft 365 environment.

ManageEngine M365 Manager Plus, a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments, can also be used to track the MFA status of users in Microsoft Entra ID.

This table is a comparison on how to generate a report on MFA status of users in Microsoft Entra ID and M365 Manager Plus.

How to set up alerts for MFA status changes in Microsoft Entra ID

While MFA is a secure way to safeguard user accounts, it can be compromised or circumvented. Administrator accounts can be hacked, which gives them control over other user's MFA methods. This allows attackers to disable MFA for user accounts and leave them open to cyberattacks. This can be tracked with Audit logs in Microsoft Entra ID, but it's not a reliable way to identify and mitigate an attack in real time. You can generate alerts for this action using Azure Monitor. However, that requires the purchase of an additional license.

M365 Manager Plus offers alerts for crucial security events like MFA status changes, along with the capability to audit and monitor your entire Microsoft 365 environment. You can set alerts for MFA status changes by following these steps:

1. Log in to M365 Manager Plus, navigate to Settings > Audit Configuration > Alert Profiles, and click Add Profile.
   
2. Type in a Profile Name and Description for your audit profile.
3. Select Azure Active Directory as your Microsoft 365 Service, choose Azure AD password as your Category, and include Disabled MFA Users under Actions.
   
4. Assign a Severity level based on how crucial this alert is. In the example screenshot below, we've selected Attention.
5. Configure an alert message using Macros to use specific variables in your alert message. For this example, we've used the following message: %ACTOR% disabled MFA for %OBJECT_ID% at %CREATION_TIME%.
6. Expand Advanced Configuration and check the Email every alert corresponding to this profile box to receive email alerts.
7. In the Filter Settings tab, use the Business Hours Filter to monitor for any alerts outside of working hours.
8. Click Add to finalize your changes and create an alert profile to report the MFA Status for users in Microsoft Entra ID.
   

Limitations of using native tools to report the MFA Status for users in Microsoft Entra ID

• To set up alerts for MFA status changes in Microsoft Entra ID, Azure Monitor needs to be configured separately, which requires an additional license.
• Administrators must be assigned at least the Reports Reader role to access the reports displayed in Microsoft Entra ID.
• Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.

Benefits of using M365 Manager Plus to report the MFA Status for users in Microsoft Entra ID

• Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
• Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
• Export reports generated in M365 Manager Plus in not just CSV, but also in other presentable formats such as HTML, PDF, and XLSX.
• Filter your reports just once and save them as custom reports that you can access later in just a few clicks.
• Gain a thorough understanding of your environment in Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.