Do you REALLY have MFA for ALL of your users?

I see this very often.
Many are content with having “enabled MFA” for their users.
But even though the requirement (Conditional Access) is in place, it doesn’t necessarily mean that everyone has been registered for MFA! ❌ 📱

Why is this important, you ask?
Well, if your users delay registering MFA, the bad guys will do it for them😈
If the attacker guesses or somehow retrieves the account password, they can just continue the registration flow 📝

Check your own tenant!
Go to “portal.azure.com“
Open “Microsoft Entra ID”
Scroll down to “Monitoring” -> “Usage & Insights”
Go to “Authentication Methods Activity” to see the percentage of users without MFA

The reason the MFA percentage is often poor is usually:
– New accounts that never logged in, or have gone stale over time 😴
– Guests who have never logged in 🛌💤
– Too many exceptions in the MFA policy (e.g, IP address) 🇧🇻🇸🇪🇩🇰🇫🇮+
– Other misconfigurations in Conditional Access 📖

Clean out these sleepy users and you should see some nice numbers in the statistics! 🛌💥🥊

Another preventive step you can take is to require a registration location.
This way, you must be in the Office or receive a TAP to register MFA ☕ 🛡️

It is VERY IMPORTANT to maintain your user base so that you keep up your MFA coverage, thereby avoiding account takeover 💝