Details
Please check if your tenant is using Office 365's "Legacy Per-User" MFA settings. Our M365 inspector uses Microsoft Graph API to query data in Azure AD/O365 environments. It is not possible to query "Legacy Per-User" MFA data from Office 365 using Microsoft Graph. Legacy per-user MFA was a feature specific to Office 365 and used in conjunction with the Office 365 admin center. However, Microsoft has since deprecated "Legacy Per-User" MFA and replaced it with Azure AD Multi-Factor Authentication. More information about this can be found here.
To accurately report users' MFA statuses, our M365 inspector requires either Conditional Access policies or Security defaults to be configured in your Azure AD tenant, and that users have an Azure Active Directory Premium P1 license or higher.
About Conditional Access Policies and Security Defaults
Conditional Access policies:
Conditional Access policies in Azure AD provide a more granular approach to enforcing MFA based on specific conditions, such as user groups, applications, locations, device platforms, and sign-in risk levels. By creating and applying Conditional Access policies, administrators can define and enforce specific access requirements, including MFA, for users attempting to access resources. For example, a policy can be created to require MFA for users accessing sensitive applications or when they are connecting from an unfamiliar location. Conditional Access policies enable organizations to balance security and productivity by applying MFA only when certain conditions are met, reducing friction for users in low-risk scenarios.
Security defaults:
Security defaults are a set of basic security settings provided by Microsoft for organizations that may not have dedicated security teams or resources to manage their security posture. When enabled, security defaults apply a predefined set of security configurations, including MFA, to all users in the organization. With security defaults enabled, MFA is enforced for all users during sign-in, and privileged actions such as registering an application or modifying directory settings also require MFA. While security defaults offer a straightforward approach to enhancing security, they lack the granularity and flexibility of Conditional Access policies.
In summary, Conditional Access policies provide a flexible and granular way to enforce MFA based on specific conditions, while security defaults offer a simpler and more basic approach to enforcing MFA for all users across the organization. Organizations should choose the method that best aligns with their security requirements and resources.
If you meet these conditions and still believe your M365 inspector is returning inaccurate user MFA information, please open a support case and our team will assist you further.