What is the difference between Enabled and Enforced MFA
One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multifactor authentication. Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray.
Enabling multi-factor authentication (MFA) ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems.
Depending on your organizational needs, there are a few different ways you can enable a user for MFA. Whether through manual configuration, security defaults, or Conditional Access policies, multi-factor authentication can be configured using the Azure portal.
What’s the Difference Between MFA Enabled and Enforced?
Microsoft Azure Active Directory uses different terms to show the status of multi-factor authentication (MFA) for each user (More details in this article). These user states are shown in the Azure portal and by default are disabled.
Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.
Disabled: This is the default state for a new user that has not been enrolled in MFA.
Note: Modern authentication protocols won't work on some older non-browser apps (Office 2010 or earlier). Ti enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.
sometimes you may encounter a scenario where Enabled and Enforced States may behave the same i.e. the user has MFA enabled and can use MFA but their state is still showing as Enabled instead of Enforced
This happens when you disable MFA for users after the registration process is completed and then re-enable MFA. The authentication method registered is still present, and the user did not complete the MFA registration process again.
There are two options you can use to change the user status to the enforced state.
- Admin forcefully changes the status to enforced from the portal.
- You can request that the user redo the authentication methods registration from the portal.
Understanding Methods to Enable Office 365 Multi-Factor Authentication
Multi-factor authentication can be enabled in Azure AD in a few different ways depending on the scenario and the type of Microsoft 365 license you currently have.
- Enabling Azure Multi-Factor Authentication by Changing User States:
- Enabling Azure Multi-Factor Authentication with Security Defaults. If you would like to learn how to turn on security defaults, you can read this article from Microsoft.
- Enabling Azure Multi-Factor Authentication with a Conditional Access Policy. For more information on Azure AD multi-factor authentication, see documentation from Microsoft.
How to Enable MFA for Office 365 Users Powershell
For more information on how to enable MFA kindly refer How to Enable MFA link