Introduction
This article explains why some Liongard users may be unable to view Multi-Factor Authentication (MFA) user information, focusing on the role of Microsoft Entra ID P1 licensing. It also outlines how certain Microsoft 365 plans inherently include this licensing, facilitating access to MFA data.
Understanding the Issue
Liongard's Microsoft 365 Inspector utilizes Microsoft's Graph API userRegistrationDetails endpoint to retrieve information about users' authentication methods. According to Microsoft, accessing this endpoint requires the tenant to have an associated Microsoft Entra ID Premium P1 or P2 license.
Without the appropriate licensing, Liongard cannot access or display MFA registration details for users.
How to Resolve
Option 1: Utilize Existing Microsoft 365 Licenses
If your organization has Microsoft 365 E3 or E5 licenses, you may already possess the necessary Entra ID licensing:
Microsoft 365 E3: Includes Microsoft Entra ID P1.
Microsoft 365 E5: Includes Microsoft Entra ID P2, which encompasses all P1 features and adds advanced capabilities.
In this case, ensure that the relevant users are assigned these licenses to enable Liongard to retrieve MFA information.
Option 2: Acquire Standalone Entra ID P1 or P2 Licenses
If your current Microsoft 365 plan does not include Entra ID P1 or P2, you can purchase standalone licenses:
Purchase a P1/P2 License: Obtain the necessary license from Microsoft.
Assign the License: After acquisition, assign the license to your tenant in the Microsoft Entra ID domain.
Once the license is assigned, Liongard's Microsoft 365 Inspector will begin retrieving MFA registration information during the next inspection cycle.
Understanding Microsoft Entra ID P1 License
The Microsoft Entra ID P1 license enhances identity and access management capabilities, including:
Conditional Access: Define policies that require MFA under specific conditions, enhancing security without compromising user experience.
MFA Registration Reporting: Track users' MFA registration status, aiding in compliance and security audits.
Self-Service Password Reset (SSPR): Allow users to securely reset their passwords, reducing administrative overhead.
These features are integral to managing and securing user access within your organization.
Conclusion
To enable Liongard to access and display MFA user information, your Microsoft Entra tenant must have Entra ID P1 or higher licensing. This can be achieved through existing Microsoft 365 E3 or E5 licenses or by acquiring standalone Entra ID P1/P2 licenses. Implementing the appropriate licensing not only facilitates MFA data retrieval in Liongard but also strengthens your organization's overall security posture.