Skip to main content

Microsoft 365 | Exposure to User Account(s) Due to Lack of Strong Authentication

Actionable Alerts, M365, Microsoft, MFA, Authentication, User Accounts, MFARegistrationV2

Updated over 2 weeks ago

Overview ✨

This article explains the Liongard alert “Microsoft 365 | Exposure to User Account(s) Due to Lack of Strong Authentication”, which triggers when Microsoft Secure Score detects that required multi-factor authentication (MFA) registration is incomplete for one or more users.

Strong authentication is a fundamental control to protect user accounts from credential-based attacks. If users haven’t registered MFA or phishing-resistant authentication methods (for example, FIDO2 keys), they remain easier targets for attackers. Liongard surfaces this exposure so you can require registration and reduce your Secure Score gap.

The Secure Score control for MFA registration measures whether users have registered authentication methods; if registration is incomplete, Liongard surfaces this exposure so you can take corrective action.

Sample Alert:

Why Does This Happen? 🤔

This alert is raised when Microsoft Secure Score detects that the MFARegistrationV2 control is not fully implemented. Liongard uses the following metric:

SecureScores.controlScores[?controlName == `MFARegistrationV2`].subtract(to_number(total), to_number(count)) | [0]

How the metric works:

  • SecureScores.controlScores → Dataset of Secure Score controls.

  • controlName == 'MFARegistrationV2' → Filters to the MFA registration control.

  • total → Total number of users expected to have registered authentication methods.

  • count → Number of users who have actually registered required authentication methods.

  • subtract(total, count) → Number of users left unregistered / exposed.

If this value is greater than 0, Liongard raises the alert. Even one unregistered privileged account is considered a gap, because attackers often focus on the least-protected accounts.

Common causes

  • Users haven’t completed authentication method registration (no Authenticator app, phone, or FIDO2 key).

  • Conditional Access policies requiring MFA exist but do not target all users.

  • Service/break-glass accounts intentionally excluded from registration or policies.

  • New users not yet added to protected groups.

  • Misconfigured authentication method policies or legacy auth exclusions.

Steps to Resolve 🔧

Option 1: Use Microsoft Entra Admin Center

  1. Require MFA registration

    • Entra Admin Center → Identity → Authentication methods → enable registration enforcement so users must register supported methods (Microsoft Authenticator, phone, FIDO2, etc.).
      (Note: Microsoft is deprecating the older “Combined security info registration” experience. If you still see it in your tenant, plan to transition to the new Authentication methods policy for long-term management.)

  2. Ensure Conditional Access covers users

    • Entra Admin Center → Security → Conditional Access → Policies → review policies that require MFA.

    • Verify Assignments → Users includes the intended population (for all-user coverage, consider selecting All users, being careful with exclusions).

    • Avoid unintentionally excluding user groups (e.g., exclude only documented break-glass accounts).

  3. Document and handle exceptions

    • If some accounts (service/break-glass) must be exempt, document the reasons and minimize the list. Consider alternate mitigations for those accounts.

  4. Require multiple methods for resilience

    • Encourage or require users (especially those critical to operations) to register more than one authentication method to reduce lockout risk.

  5. Verify coverage

    • Export the list of users expected to be protected and compare it to the list of users who have registered authentication methods. Address any gaps.

Option 2: Review and Resolve in Microsoft 365 Security Center

  1. Log in to Microsoft 365 Security Center.

  2. Select "Recommended actions" tab on dashboard.

  3. Select "Ensure multifactor authentication is enabled for all users"

  4. Review the Information available to get additional insights on current scope of the policy like Implementation status and User impact.

  5. If some accounts (e.g., break-glass, service accounts) are intentionally excluded from MFA, document the reason and clear the Secure Score review by using Edit status & action plan in Secure Score and choose the suitable justification :

    • Resolved through third party

    • Resolved through alternate mitigation

Contact Support 🙋‍♂️

Still seeing alerts after confirming the policy covers everyone?

Reach out to our support team with the following:

  1. Complete page screenshot of the alert reflecting the title and changes it detected.

  2. Screenshot of the Actionable Alert rule configuration page:

    1. Go to Admin > Actionable Alerts > Rules

    2. Locate the same Actionable Alert mentioned

    3. Click on the Clone button (two squares icon)

    4. Take a screenshot of the whole page in 2 parts

  3. Screenshot of your Conditional Access policy assignments

  4. Your current Secure Score details from Microsoft 365 Security Center

We're here to help troubleshoot further and are happy to assist in any way possible

Did this answer your question?