What is Multifactor Authentication (MFA)?
Multifactor authentication (MFA) for Microsoft 365 is a security feature that requires users to provide two or more verification methods to access their accounts in addition to their passwords. This extra layer of security helps protect against unauthorized access by ensuring that the person trying to access an account is who they claim to be. Verification methods can include a phone call, a text message containing a code, an app notification, or a biometric verification like a fingerprint. MFA effectively enhances the security of Microsoft 365 accounts, safeguarding sensitive data and business information.
What are the different Microsoft 365 MFA enforcement methods?
Legacy (Per-User) MFA: This is the original method where MFA settings are applied directly to individual user accounts. Administrators manually enable MFA for each user, making it a straightforward but less flexible approach.
Conditional Access Policy: This method is more dynamic and powerful. It allows administrators to enforce MFA under specific conditions based on various factors, such as user risk level, location, device state, and application sensitivity. For example, MFA might be required when accessing certain high-risk applications or when logging in from outside the corporate network. This method provides granular control and adapts to the context of each access attempt.
Security Defaults: Aimed at providing a baseline of security with minimal configuration, Security Defaults automatically enable essential security settings, including MFA, for all users. When Security Defaults are enabled, MFA is required for administrative roles, all users when they perform certain tasks, and whenever unusual sign-in activity is detected.
How does Liongard support the different Microsoft 365 MFA enforcement methods?
Legacy (Per-User) MFA: As of April 2024, Microsoft doesn't provide a way to retrieve enforcement status through their Graph API. This prevents our ability to surface the enforcement status of users configured in this method.
Conditional Access Policy: Currently, Liongard recognizes MFA conditional access policies that specifically enforce using 'Require Multifactor authentication' or 'Require authentication strength' grant options. It also recognizes policies enforcing multifactor authentication for Duo by detecting custom access grants with 'RequireDuoMFA' in their names. Liongard is working on expanding this functionality to provide users with more control over which policies are used to enforce MFA.
Security Defaults: Liongard can identify when the security defaults setting is enabled and report the status of MFA enforcement within the target tenant.
What are the different Microsoft 365 MFA statuses?
Microsoft 365 MFA has three different statuses that indicate the stages of a user's MFA setup and usage.
Registered: This status means that the user has completed the initial setup process for MFA by providing and verifying their contact information or authentication method. However, they are not yet required to use MFA every time they log in.
Enabled: When a user's status is set to Enabled, it means that MFA has been activated for their account, but it's not yet mandatory for every login. This status is often used as a transitional phase where users can still log in with just their password until MFA becomes enforced.
Enforced: This status indicates that MFA is fully active and mandatory for the user. Each time the user logs in, they must use their password and a second verification form to access their account, ensuring an added layer of security.
Where does Liongard surface Microsoft 365 MFA data?
Cyber Risk Dashboard: Selecting an Environment name in Liongard will bring you to the single Environment dashboard, where you can find the Cyber Risk Dashboard on the left-hand menu. You can find the MFA registration status and MFA enforcement status of users and privileged users through conditional access policies. In addition, drill-down tables are provided.
Inspector System Details: Selecting a Microsoft 365 Inspector will bring you to the system details page, where you can find MFA data on the "Overview" and "Users" tabs, as well as the "Data Print Explorer."
Inspector Data Print: The Microsoft 365 data print contains MFA data within the "Users" array. Specifically, the "isMfaRegistered_r" key is available to surface MFA registered status. The "credentialUserRegistrationDetails" object surfaces additional data about the different registration methods. The "ConditionalAccessPolicies" and "ConditionalAccessPoliciesExcluded" arrays provide insight into MFA policies that are detected or not detected.
Metrics and Reports: As always, metrics and reports are available for you to customize specific data points further. Don't forget to visit the Liongard Library to check out our library of user-submitted metrics.
To learn more about how Liongard detects MFA enforcement, visit our article here.