Who Moved My Microsoft MFA?

Vector drawing of a man using a magnifying glass on a giant web screen

Nov 11, 2020 by Kevin Oppihle

Did you read that headline in Samuel L. Jackson’s voice? Well, MFA in this case is something a little different than his trademark phrase.

You can enable multi-factor authentication (MFA) functionality in several different places in the Microsoft 365 portal, and Microsoft seems to be doing their best to hide it and confuse everyone.

For example, Microsoft MFA that is enabled in one section of the Azure portal, which also impacts the Microsoft 365 suite, may show as disabled in the Microsoft 365 portal and the standard MFA console of Azure.

It also depends on what features of MFA are available to you depending on your Microsoft 365 licensing in place.

The standard go-to for most admins, even with the basic licensing, is configurable in the standard portal under the Active Users by accessing the “Multi-Factor authentication” as shown below:

The organization below has MFA enforced on one of the users, displayed below using the “MFA console”:

The more advanced configuration for Azure-aware admins, again even with the basic licensing, is configurable in the Azure portal under the Azure Active Directory users. Access the “Multi-Factor authentication” as shown below:


The portal below shows that MFA is disabled…but it’s lying!

Note: Both of the options above direct to the same “MFA console” per tenant, so they will match.

The second example though, in the “MFA console”, displays MFA is disable but it IS ENABLED. This organization is using Conditional Access Policies instead. One policy for blocking non-USA access, one for blocking via IP along with MFA being enabled:

See the required MFA settings below including the ability to exclude specific users:

So, long story short, these are the typical places you will find MFA settings in your Microsoft 365 tenant. You must look at ALL of them to get a clear picture of where and how MFA is enabled. If you have not enabled MFA yet, do so immediately.

For guidance on MFA or Office 365 administration, please call us at 502-240-0404 or email info@mirazon.com

 

Press enter to search