Overview š„
Liongardās Microsoft 365 Inspector retrieves MFA registration data using the Microsoft Graph API. If your inspector is not displaying MFA registration statusāor is showing users as not registered for MFA even though MFA is enabledāthe most common cause is that the tenant is still using Office 365 Legacy Per-User MFA.
Legacy Per-User MFA is an older mechanism that was configured in the Office 365 admin center. Microsoft has officially deprecated this model and replaced it with Azure AD MFA managed through Conditional Access policies or Security Defaults. More information about this can be found here.
The Microsoft Graph API does not expose Legacy MFA settings, which means Liongard (and any Graph-based tooling) cannot detect or report MFA status when Legacy Per-User MFA is being used.
As a result:
Users protected by Legacy Per-User MFA will not show correct MFA registration data.
The Inspector may report those users as not having MFA registered or enabled.
MFA enforcement and registration information will only be available when MFA is enforced through Azure AD mechanisms (Conditional Access or Security Defaults).
Why This Happens š¤
1ļøā£ Legacy Per-User MFA is not accessible via Microsoft Graph
Legacy Per-User MFA:
Pre-dates Azure AD MFA enforcement mechanisms.
Was originally managed through the Office 365 admin center ("multi-factor authentication" page).
Stores MFA configuration in endpoints that Microsoft Graph does not query.
Has been fully deprecated by Microsoft in favor of Azure AD Conditional Access.
Microsoft explicitly states that:
Legacy MFA settings are not available via Graph, only via legacy O365 endpoints.
Graph-based solutions cannot report this data, including Liongard, Entra Admin Center MFA APIs, and other monitoring tools.
Therefore:
Liongard cannot pull registration status for users still using the legacy model.
Users appear unregistered / no methods configured.
2ļøā£ Azure AD MFA Requires Conditional Access or Security Defaults
To surface MFA registration and enforcement data through Microsoft Graph, the tenant must be using one of the following:
ā Conditional Access Policies
Supports granular enforcement based on user, group, application, network location, device platform, or sign-in risk.
Enables MFA requirement during sign-in under specific conditions.
Requires Azure AD Premium P1 license.
Exposes MFA registration and method data in Graphās authenticationMethods API.
ā Security Defaults
A baseline security configuration available at no extra cost.
Enforces MFA for all users.
Does not support granular targeting; applies to entire tenant.
Also surfaces MFA registration data in Microsoft Graph.
Without one of these mechanisms enabled, Graph cannot provide MFA-related information.
3ļøā£ Licensing Requirements
To retrieve MFA details via Graph, users must meet the licensing requirement for the enforcement mechanism:
MFA Enforcement Model | Licensing Requirement | Graph API Support | Liongard MFA Reporting |
Conditional Access | Azure AD Premium P1+ | Fully Supported | Accurate |
Security Defaults | No P1 required | Supported | Accurate |
Legacy Per-User MFA | No license required | Not Supported | Not Accurate |
If the tenant is only using Legacy Per-User MFA and has no Conditional Access policies and Security Defaults disabled, the Inspector cannot read MFA status.
Explanation of MFA Enforcement Models š§āš«
ā Conditional Access Policies (Granular MFA Enforcement)
Conditional Access (CA) allows administrators to define rules such as:
Require MFA when signing in from outside the corporate network.
Require MFA for accessing privileged applications.
Require MFA for administrators, high-risk users, or service accounts.
Block access unless MFA is satisfied.
CA provides:
Fine-grained control.
Risk-based access policies.
Modern API visibility.
Full Graph reporting support.
The most accurate MFA configuration data for Liongard.
Because Conditional Access is the modern enforcement model, Microsoft Graph exposes:
Authentication methods registered (Authenticator app, SMS, FIDO2 keys).
Whether MFA is required.
Whether user registration is complete.
This is the model Microsoft recommends for all organizations using Azure AD.
ā Security Defaults (Basic MFA Enforcement)
Security Defaults:
Forces MFA for all users by default.
Blocks older legacy protocols.
Enforces MFA during high-value operations (app registration, directory changes).
Does not require Azure AD Premium licensing.
Surfaces MFA information through Graph in a simplified model.
Security Defaults are ideal for:
Small organizations.
Tenants without security teams.
MSPs managing many small customers.
While Security Defaults lack the granularity of Conditional Access, they are fully compatible with Liongardās MFA reporting.
Legacy Per-User MFA (Deprecated and Unsupported) š
Legacy Per-User MFA was a previous generation control with major limitations:
Enforced at the user level rather than through policies.
Managed through the old Office 365 admin portal.
Not connected to Microsoft Graph.
Does not expose authentication method or MFA registration status programmatically.
Officially deprecated by Microsoft.
Microsoft urges all organizations to migrate to Azure AD MFA through CA or Security Defaults.
Troubleshooting Checklist šØāš»
Use the following checklist to identify why MFA data may not be appearing:
ā¤ 1. Is the tenant using Legacy Per-User MFA?
If yes ā MFA will not display in Liongard.
Check the Office 365 āMulti-factor authenticationā page.
If the list shows āEnabledā or āEnforcedā under Legacy MFA ā this is the root cause.
ā¤ 2. Are Conditional Access policies configured to enforce MFA?
Verify:
At least one CA policy requires MFA.
Users in question are included in the policy scope.
The policy is not blocked, disabled, or overridden by exclusions.
ā¤ 3. Is Security Defaults enabled instead?
If Security Defaults is enabled:
Conditional Access is disabled automatically.
MFA enforcement is active tenant-wide.
MFA registration data should appear correctly.
ā¤ 4. Does the user have the required licenses?
This is critical:
Conditional Access MFA requires Azure AD Premium P1 or higher.
Security Defaults does not require P1, but CA does.
ā¤ 5. Is the Microsoft 365 Inspector running without errors?
Verify in Liongard:
ā¤ 6. Has MFA registration actually been completed by the user?
Legacy MFA may allow users to authenticate without registering modern MFA methods (Authenticator app, phone, FIDO2 keys).
Azure AD MFA requires explicit method registrationāvisible in Graph.
ā¤ 7. Is the tenant recently migrated from Legacy MFA?
Migration notes:
It may take time for Graph to reflect accurate registration status.
Users may need to re-register MFA under the new model.
When to Contact Liongard Support š¦
If:
Legacy Per-User MFA is disabled.
Conditional Access or Security Defaults is enabled.
Users meet licensing requirements.
The Inspector is running cleanly.
ā¦and MFA registration status still appears incorrect, open a Liongard support case.
Please include:
Inspector name and URL.
Confirmation of CA/Security Defaults configuration (Screenshots).
Screenshot of Authentication Methods blade (Entra admin center).
Logs from a Clear Cache + Debug Mode run.
External Resource Disclaimer šØ
This article references external Microsoft resources and tools. Liongard does not control availability, functionality, or accuracy of third-party sites. Use them as optional reference resources.