Problem:
There is occasionally confusion when looking at our isMfaRegistered_r datapoint in the Microsoft 365 inspector
Information
To accurately return the isMfaRegistered_r
value, the following conditions must be met:
Microsoft Entra ID P1 License Requirement: The tenant must possess Microsoft Entra ID P1 licenses. This license is included with Microsoft 365 E3 and Microsoft 365 Business Premium plans.
Understanding
isMfaRegistered_r
: This attribute indicates whether a user has completed the registration process for multi-factor authentication (MFA). It's important to note that:Being MFA registered does not necessarily mean that MFA is enforced for the user.
The
isMfaRegistered_r
attribute does not account for users utilizing legacy per-user MFA configurations.
Microsoft 365 E3 and E5 Plans
Both Microsoft 365 E3 and E5 plans include features that support MFA registration tracking:
Microsoft 365 E3:
Includes Microsoft Entra ID P1.
Supports Conditional Access policies to enforce MFA based on specific conditions.
Microsoft 365 E5:
Includes Microsoft Entra ID P2, which encompasses all P1 features.
Adds advanced capabilities like risk-based Conditional Access and Microsoft Entra ID Protection.
Microsoft Entra ID P1 License Functionalities
The Microsoft Entra ID P1 license provides several features pertinent to MFA:
Conditional Access: Allows administrators to define policies that require MFA under specific conditions, enhancing security without compromising user experience.
MFA Registration Reporting: Enables tracking of users' MFA registration status, facilitating compliance and security audits.
Self-Service Password Reset (SSPR): Permits users to reset their passwords securely, reducing administrative overhead.