MFA Enabled vs Enforced – What’s the Difference?

Last Updated On:

Understanding Office 365 Multi-Factor Authentication Enabled vs. Enforced

One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multi-factor authentication (MFA). Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray. Enabling MFA ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems where they could cause serious financial and operational damage.

Microsoft 365 and Office 365 both support basic MFA features at no extra cost, with upgraded features available for purchase. Depending on your organizational needs, there are a few different ways you can enable a user for MFA. Whether through manual configuration, security defaults, or Conditional Access policies, multi-factor authentication can be configured using the Azure portal.

To learn more about managing Active Directory with native and third-party tools, read our Active Directory Management Tools guide.

What’s the Difference Between MFA Enabled and Enforced?

Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled.

MFA Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.

MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.

MFA Disabled: This is the default state for a new user that has not been enrolled in MFA.

Keep in mind, regarding the enforced MFA user status, some older non-browser apps, like Office 2010 or earlier, modern authentication protocols won’t work. In order to enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.

To learn more about multi-factor authentication, read our blog discussing the differences between Microsoft user-based MFA and Azure MFA.

Understanding Methods to Enable Office 365 Multi-Factor Authentication

Multi-factor authentication can be enabled in Azure AD/Entra ID in a few different ways depending on the scenario and the type of Microsoft 365 license you currently have.

Enable MFA by Changing User States

This is the traditional approach for requiring two-step verification. All users that you enable perform two-step verification each time they sign in. Enabling a user overrides any conditional access policies that might affect that user. While this method is preferred when making changes on an individual basis, it is now not recommended by Microsoft, as it can be time-consuming and error-prone to configure and manage for an entire organization.

Enable MFA with Security Defaults

Toward the end of 2019, Microsoft released security defaults to help protect organizations from identity-related attacks. These preconfigured security settings include enabling multi-factor authentication for all admin and user accounts. Microsoft is in the process of making these security defaults available to all license subscriptions. Depending on when your tenant was created, security defaults may already be enabled. If not, security defaults must be turned on in the Azure Portal. To learn how to turn on security defaults, read this article from Microsoft.

Enable MFA with a Conditional Access Policy

This is a more flexible approach for requiring two-step verification and is the method recommended by Microsoft. It only works for Azure MFA in the cloud, though, and Conditional Access is a paid feature of Azure Active Directory, specifically Premium P1 or P2 editions. You can create Conditional Access policies that apply to groups as well as individual users. High-risk groups can be given more restrictions than low-risk groups, or two-step verification can be required only for high-risk cloud apps and skipped for low-risk ones. Azure AD Premium P2 licenses add risk-based Conditional Access that can adapt to user patterns, tracking normal behavior to minimize multi-factor authentication prompts that aren’t deemed necessary.

All the methods listed above prompt users to register for Azure multi-factor authentication the first time they sign in after the requirements turn on. After users complete the multi-factor authentication registration, they will only be prompted for another authentication, when necessary, primarily when using a new device or application or completing critical tasks. For more information on Azure AD multi-factor authentication, see documentation from Microsoft.

Latest Updates to MFA in Microsoft 365

Microsoft is constantly making improvements to its MFA offerings. Here are some of the latest updates (as of December 2023):
  • Security defaults: Microsoft has been making security defaults available to all license subscriptions, which includes enabling MFA for all admin and user accounts. This is a significant step forward in making MFA the default security posture for Microsoft 365 organizations.
  • Cloud MFA: Microsoft has introduced new cloud-based MFA options that offer improved security and manageability. These options include Azure Active Directory Multi-Factor Authentication (MFA) and Microsoft Authenticator app.
  • End of Azure MFA Server: Beginning September 30, 2024, Azure MFA Server deployments will no longer service MFA requests. Organizations should migrate their users to the cloud-based Azure MFA service before this date to avoid disruptions. You can learn more about it in this update from Microsoft.

To learn more about increasing security in your Microsoft environments, check out our webinar, “Modernize AD Management: How Security & Efficiency Intertwine.”

Viewing Multi-Factor Authentication User States

How to Manually Check MFA User States in the Azure Portal

  1. After signing in to the Azure/Entra ID portal, “Microsoft Entra ID” from the main menu
  2. On the left navigation, select “Users”, then “All Users”
  3. On the top navigation, click “Per-user MFA”
  4. A new page will open that displays the username and MFA user status

How to Create a Report of Users and Their MFA Status in Cayosoft Administrator

With Cayosoft Administrator, you are able to create the below report once, then get it delivered on a schedule, like weekly or monthly.

  1. From the Cayosoft Administrator console, click “New Rule”
  2. Click “Show All Templates”
  3. Type “MFA” into the search bar to show relevant rules
  4. Create the rule “Microsoft 365 Users Authentication Methods (MFA) Status”
  5. For rule output, select the desired output such as “Send as E-mail with Attached Report”
  6. Click “Finish”, verify the output, then click “Run Rule”

Want to Secure Your Active Directory?

Learn more about Cayosoft Administrator, our unified solution for securing and managing all your Microsoft Directories, or schedule a personalized demo to see how Cayosoft can help improve your security and IT efficiency!

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.