What’s the Difference Between Enabling and Enforcing MFA?

Last Updated On:

Understanding Microsoft Office 365 Multi-Factor Authentication (MFA) Enabled vs. Enforced

One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multifactor authentication. Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray. Enabling multi-factor authentication (MFA) ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems where they could cause serious financial and operational damage.

Microsoft 365 and Office 365 both support basic MFA features at no extra cost, with upgraded features available for purchase. Depending on your organizational needs, there are a few different ways you can enable a user for MFA. Whether through manual configuration, security defaults, or Conditional Access policies, multi-factor authentication can be configured using the Azure portal.

What’s the Difference Between MFA Enabled and Enforced?

Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled.

Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.

Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.

Disabled: This is the default state for a new user that has not been enrolled in MFA.

Keep in mind, regarding the enforced MFA user status, some older non-browser apps, like Office 2010 or earlier, modern authentication protocols won’t work. In order to enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.

Understanding Methods to Enable Office 365 Multi-Factor Authentication

Multi-factor authentication can be enabled in Azure AD in a few different ways depending on the scenario and the type of Microsoft 365 license you currently have.

Enabling Azure Multi-Factor Authentication by Changing User States

This is the traditional approach for requiring two-step verification. All users that you enable perform two-step verification each time they sign in. Enabling a user overrides any conditional access policies that might affect that user. While this method is preferred when making changes on an individual basis, it is now not recommended by Microsoft, as it can be time-consuming and error-prone to configure and manage for an entire organization.

Enabling Azure Multi-Factor Authentication with Security Defaults

Toward the end of 2019, Microsoft released security defaults to help protect organizations from identity-related attacks. These preconfigured security settings include enabling multi-factor authentication for all admin and user accounts. Microsoft is in the process of making these security defaults available to all license subscriptions. Depending on when your tenant was created, security defaults may already be enabled. If not, security defaults must be turned on in the Azure Portal. To learn how to turn on security defaults, read this article from Microsoft.

Enabling Azure Multi-Factor Authentication with a Conditional Access Policy

This is a more flexible approach for requiring two-step verification and is the method recommended by Microsoft. It only works for Azure MFA in the cloud, though, and Conditional Access is a paid feature of Azure Active Directory, specifically Premium P1 or P2 editions. You can create Conditional Access policies that apply to groups as well as individual users. High-risk groups can be given more restrictions than low-risk groups, or two-step verification can be required only for high-risk cloud apps and skipped for low-risk ones. Azure AD Premium P2 licenses add risk-based Conditional Access that can adapt to user patterns, tracking normal behavior to minimize multi-factor authentication prompts that aren’t deemed necessary.

All the methods listed above prompt users to register for Azure multi-factor authentication the first time they sign in after the requirements turn on. After users complete the multi-factor authentication registration, they will only be prompted for another authentication, when necessary, primarily when using a new device or application or completing critical tasks. For more information on Azure AD multi-factor authentication, see documentation from Microsoft.

Viewing Multi-Factor Authentication User States

How to View MFA User States in the Azure Portal

  1. After signing in to the Azure portal, either search for or click on Azure Active Directory from the main menu
  2. On the left navigation, select Users > All Users
  3. Select Multi-Factor Authentication, on the menu across the top (located after Reset Password)
  4. A new page will open that displays the user name and MFA user status

How to Get a Report of Users and Their MFA Status in Cayosoft Administrator

  1. From the Cayosoft Administrator console, click new Rule
  2. Click Show All Templates
  3. Click Office 365 Multi-factor Authentication (MFA) Status, then click Next
  4. Click Create and Save Report, then click Next
  5. Click Finish, then click Run Rule
  6. When prompted save the rule, then confirm the report was started
  7. When the green balloon at the to right turns from Green to Blue the report is ready
  8. In the Navigation Tree click the Reports node
  9. Double click the new report to open it

To learn more about multi-factor authentication, read our blog discussing the differences between Microsoft user-based MFA and Azure MFA here.

To learn more about increasing security in your Microsoft environments, check out our webinar, “3 Keys to Secure Hybrid Microsoft Management.”

Want to Secure Your Active Directory?

Learn more about Cayosoft Administrator, our unified solution for securing and managing all your Microsoft Directories, or schedule a personalized demo to see how Cayosoft can help improve your security and IT efficiency!

Check out these relevant resources.