Language:
This IoE cannot work without a Microsoft Entra ID P1 or P2 license due to data availability restrictions by Microsoft. Therefore, it will not return any result on Entra ID Free tenants.
Multi-Factor Authentication (MFA), or previously Two-Factor Authentication (2FA), provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. When an attacker obtains a privileged user password by any method, MFA blocks authentication by requesting an additional factor such as a time-expiring code from a mobile application, a physical token, a biometric feature, etc.
This Indicator of Exposure alerts you when an account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk. However, this Indicator of Exposure cannot report on whether or not Microsoft Entra ID enforces MFA as Conditional Access Policies may require MFA depending on dynamic criteria.
You can also use the "Authentication methods activity" and "MFA Reports" features in Entra ID.
See also the related IOE, "Missing MFA for Non-Privileged Account", for non-privileged accounts.
Disabled users are ignored since they cannot be abused immediately by attackers, and also because of a limitation of the Microsoft Graph API which reports an incorrect MFA status for disabled users.
All reported privileged users must register MFA methods and have MFA enforced to increase their protection against password attacks as recommended by Microsoft's "Best practices for Microsoft Entra roles": "3. Turn on multi-factor authentication for all your administrator accounts. Based on our studies, your account is 99.9% less likely to be compromised if you use multi-factor authentication (MFA)."
For Microsoft Entra ID, Microsoft offers a Conditional Access Policy template called Require MFA for administrators. This policy prompts users to register an MFA method the first time they authenticate following MFA enforcement. We recommend that you follow the "Plan a Conditional Access deployment" Microsoft documentation.
Note that you should plan to have one or two privileged break glass accounts, using different MFA methods than the normal administrative accounts, as recommended by the "Manage emergency access accounts in Microsoft Entra ID" Microsoft documentation.
Read more about Microsoft Entra MFA in this section of the Microsoft Entra authentication documentation (check also related pages).
Name: Missing MFA for Privileged Account
Codename: MISSING-MFA-FOR-PRIVILEGED-ACCOUNT
Severity: High