The Microsoft 365 Inspector returns per-user MFA information for users that have an Azure Active Directory Premium P1 license or higher.
To retrieve Per-User MFA Information, a conditional access policy must be configured. To setup a conditional access policy, please reference Microsoft's documentation found here.
Once a conditional access policy has been configured, the following data columns display per-user MFA information in the Users Data View tab for Microsoft 365:
The MFA Registration Status column indicates if a user account has completed registration towards MFA.
If a user has their MFA disabled after initial enrollment, because of the way Microsoft stores this value, the property in the MFA Registration Status column for this user will remain "Enabled."
When a user is disabled in Microsoft 365, then the property will reset back to "Disabled."
The Latest Strong Auth Event column displays the Latest Strong Authentication Event logged for this user in the last 60 days.
To surface this data, the Inspector looks at the directory audits for the last 60 days in the tenant. The Inspector will surface the most recent entry of "Strong Authentication," whether it be Enabled or Disabled. If no event is found within the last 60 days, then "None" is displayed in the column.
Possible values for this column:
- "Strong Authentication Enabled:" Use of MFA in any form that Microsoft supports
- "Strong Authentication Disabled"
Recommended Use for MFA Registration Status and Latest Strong Auth Event
These two data points can be used to help identify which users might or might not have MFA enabled/disabled. MFA Registration will indicate the users that have completed the MFA enrollment process and registered a method for authentication. One can then look at the Strong Auth Events data to ensure that MFA has not been disabled recently for the user or to confirm that Strong Auth was recently turned on for the user.
The following data column displays per-tenant MFA information in the Secure Score Data View tab for Microsoft 365:
The MS Secure Score column contains Microsoft defined scores that can help identify, from a high level, if there are accounts that do not have MFA enabled. This property does not require additional licensing but only provides the count of users that meet this criterion.
According to Microsoft, changes made to data affecting Secure Scores can take 24 to 48 hours to refresh. Once the data has been updated in Microsoft, and your Inspectors run afterward, your Liongard Inspectors should reflect the updated scores.
To see the information in more detail, log in to the Secure Score Security Center.
The "Microsoft 365 | Exposure to Privileged Account(s) Due to Lack of Strong Authentication" Actionable Alert rule is a prewritten alert rule available in all Liongard instances. The Actionable Alert, when triggered, will display the count of users that are considered to be Admins who do not have MFA enabled. To identify which users meet this threshold, you must log in to the Secure Score Security Center.
This count is based on the MS Secure Score data, and to clear the Actionable Alert, action must be taken in the Secure Score Security Center.
Our Microsoft 365 Inspector captures Privileged User status.
We define a "Privileged User" by Microsoft’s definition. You can learn more here.
In September of 2021, Microsoft made changes to hide user information by default in the Microsoft 365 portal. These settings can cause the Microsoft 365 Inspector to omit certain hidden fields. To correct this problem, unhide user information by following Microsoft's Documentation.
Updated 4 months ago