Last Updated On:
Understanding Microsoft Office 365 Multi-Factor Authentication (MFA) Enabled vs. Enforced
One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multifactor authentication. Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray. Enabling multi-factor authentication (MFA) ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems where they could cause serious financial and operational damage.
Microsoft 365 and Office 365 both support basic MFA features at no extra cost, with upgraded features available for purchase. Depending on your organizational needs, there are a few different ways you can enable a user for MFA. Whether through manual configuration, security defaults, or Conditional Access policies, multi-factor authentication can be configured using the Azure portal.
What’s the Difference Between MFA Enabled and Enforced?
Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled.
Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.
Disabled: This is the default state for a new user that has not been enrolled in MFA.
Keep in mind, regarding the enforced MFA user status, some older non-browser apps, like Office 2010 or earlier, modern authentication protocols won’t work. In order to enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.
Understanding Methods to Enable Office 365 Multi-Factor Authentication
Enabling Azure Multi-Factor Authentication by Changing User States
Enabling Azure Multi-Factor Authentication with Security Defaults
Enabling Azure Multi-Factor Authentication with a Conditional Access Policy
All the methods listed above prompt users to register for Azure multi-factor authentication the first time they sign in after the requirements turn on. After users complete the multi-factor authentication registration, they will only be prompted for another authentication, when necessary, primarily when using a new device or application or completing critical tasks. For more information on Azure AD multi-factor authentication, see documentation from Microsoft.
Viewing Multi-Factor Authentication User States
How to View MFA User States in the Azure Portal
- After signing in to the Azure portal, either search for or click on Azure Active Directory from the main menu
- On the left navigation, select Users > All Users
- Select Multi-Factor Authentication, on the menu across the top (located after Reset Password)
- A new page will open that displays the user name and MFA user status
How to Get a Report of Users and Their MFA Status in Cayosoft Administrator
- From the Cayosoft Administrator console, click new Rule
- Click Show All Templates
- Click Office 365 Multi-factor Authentication (MFA) Status, then click Next
- Click Create and Save Report, then click Next
- Click Finish, then click Run Rule
- When prompted save the rule, then confirm the report was started
- When the green balloon at the to right turns from Green to Blue the report is ready
- In the Navigation Tree click the Reports node
- Double click the new report to open it
To learn more about multi-factor authentication, read our blog discussing the differences between Microsoft user-based MFA and Azure MFA here.
To learn more about increasing security in your Microsoft environments, check out our webinar, “3 Keys to Secure Hybrid Microsoft Management.”
Want to Secure Your Active Directory?
Learn more about Cayosoft Administrator, our unified solution for securing and managing all your Microsoft Directories, or schedule a personalized demo to see how Cayosoft can help improve your security and IT efficiency!