Skip to main content
All CollectionsInspectorsMicrosoft 365
Microsoft 365 | How Does Liongard Detect For Multifactor Authentication (MFA) Enforcement?
Microsoft 365 | How Does Liongard Detect For Multifactor Authentication (MFA) Enforcement?
Updated over 3 months ago

On the Cyber Risk Dashboard, Liongard displays two categories for Microsoft 365 MFA enforcement status via conditional access policies: Enforced (Conditional Access - Microsoft) and Enforced (Conditional Access - Duo).

For both Enforced (Conditional Access - Microsoft) and Enforced (Conditional Access - Duo), in order for Liongard to detect MFA enforcement, the conditional access policies must also target “All cloud apps”.

Enforced (Conditional Access - Microsoft)

The Enforced (Conditional Access - Microsoft) category is defined by detecting Microsoft Entra ID conditional access policies that enforce MFA using the 'Require Multifactor authentication' or 'Require authentication strength' grant options.

Microsoft Entra ID conditional policy grants enforcing multi-factor authentication (MFA) for Duo with a custom control

Enforced (Conditional Access - Duo)

The Enforced (Conditional Access - Duo) category is defined by detecting Microsoft Entra ID conditional access policies that enforce MFA for Duo by detecting custom access grants with 'RequireDuoMFA' in their names.

Please note that the detection of policies enforcing MFA for Duo depends on setting up Duo MFA per Duo's Entra Conditional Access documentation, which is detailed here. Most importantly, follow the convention of the control name containing the string "RequireDuoMfa."

Microsoft Entra ID custom control enforcing Duo

Visit our Microsoft MFA FAQ article to learn about what Microsoft 365 multifactor authentication data Liongard supports.

Guest or External Users Support

We do not support granular 'include/exclude' selection options for 'Guests or External users' under 'Select users and groups' in conditional access policies. If this option is chosen, the guest user's MFA enforcement status may show as undetected.

Below is a screenshot of granular selection options. Granularity is defined by selecting a subset of the 6 options in the Guest or External Users dropdown.

Future Release MFA Detection

Liongard plans to add additional insights into detecting MFA in subsequent release phases.

  • Support for MFA enforcement via Security Defaults

  • Registered Authentication Methods

  • Support for partners selecting Conditional Access Policies that enforce MFA

  • Updates to the existing MFA-registered drill-down data

Did this answer your question?