On the Cyber Risk Dashboard, Liongard displays two categories for Microsoft 365 MFA enforcement status via conditional access policies: Enforced (Conditional Access - Microsoft) and Enforced (Conditional Access - Duo).
Enforced (Conditional Access - Microsoft)
The Enforced (Conditional Access - Microsoft) category is defined by detecting Microsoft Entra ID conditional access policies that enforce MFA using the 'Require Multifactor authentication' or 'Require authentication strength' grant options.
Enforced (Conditional Access - Duo)
The Enforced (Conditional Access - Duo) category is defined by detecting Microsoft Entra ID conditional access policies that enforce MFA for Duo by detecting custom access grants with 'RequireDuoMFA' in their names.
Please note that the detection of policies enforcing MFA for Duo depends on setting up Duo MFA per Duo's Entra Conditional Access documentation, which is detailed here. Most importantly, follow the convention of the control name containing the string "RequireDuoMfa."
Visit our Microsoft MFA FAQ article to learn about what Microsoft 365 multifactor authentication data Liongard supports.
Guest or External Users Support
Guest or External Users Support
We do not support granular 'include/exclude' selection options for 'Guests or External users' under 'Select users and groups' in conditional access policies. If this option is chosen, the guest user's MFA enforcement status may show as undetected.
Below is a screenshot of granular selection options. Granularity is defined by selecting a subset of the 6 options in the Guest or External Users dropdown.
Future Release MFA Detection
Future Release MFA Detection
Liongard plans to add additional insights into detecting MFA in subsequent release phases.
Support for MFA enforcement via Security Defaults
Registered Authentication Methods
Support for partners selecting Conditional Access Policies that enforce MFA
Updates to the existing MFA-registered drill-down data