What’s the Difference Between Enabling and Enforcing MFA?

Modified on Wed, 02 Nov 2022 at 06:07 AM

Problem Statement:


What is the difference between Enabling and Enforcing MFA 


Solution:


One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multifactor authentication. Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray.

Enabling multi-factor authentication (MFA) ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems.


Depending on your organizational needs, there are a few different ways you can enable a user for MFA. Whether through manual configuration, security defaults, or Conditional Access policies, multi-factor authentication can be configured using the Azure portal.


What’s the Difference Between MFA Enabled and Enforced?


Microsoft Azure Active Directory uses different terms to show the status of multi-factor authentication (MFA) for each user (More details in this article). These user states are shown in the Azure portal and by default are disabled.


Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.


Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.


Disabled: This is the default state for a new user that has not been enrolled in MFA.


Note: Modern authentication protocols won't work on some older non-browser apps (Office 2010 or earlier). Ti enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.


Confusion Scenario:


sometimes you may encounter a scenario where Enabled and Enforced States may behave the same i.e. the user has MFA enabled and can use MFA but their state is still showing as Enabled instead of Enforced


Explanation:


This happens when you disable MFA for users after the registration process is completed and then re-enable MFA. The authentication method registered is still present, and the user did not complete the MFA registration process again.


There are two options you can use to change the user status to the enforced state.


  • Admin forcefully changes the status to enforced from the portal.
  • You can request that the user redo the authentication methods registration from the portal.


Understanding Methods to Enable Office 365 Multi-Factor Authentication


Multi-factor authentication can be enabled in Azure AD in a few different ways depending on the scenario and the type of Microsoft 365 license you currently have.


  • Enabling Azure Multi-Factor Authentication by Changing User States:
  • Enabling Azure Multi-Factor Authentication with Security Defaults. If you would like to learn how to turn on security defaults, you can read this article from Microsoft.
  • Enabling Azure Multi-Factor Authentication with a Conditional Access Policy.  For more information on Azure AD multi-factor authentication, see documentation from Microsoft.


How to Enable MFA for Office 365 Users Powershell


  • Connect to the service:
    Connect-MsolService

  • Create StrongAuthenticationRequirement object with the required parameters.:

    $sa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

    $sa.RelyingParty = "*"

    $sa.State = "Enabled"

    $sar = @($sa)

  • Enable MFA for the user

    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sar



For more information on how to enable MFA kindly refer How to Enable MFA link



Viewing Multi-Factor Authentication User States

How to View MFA User States in the Azure Portal

  1. After signing in to the Azure portal, either search for or click on Azure Active Directory from the main menu
  2. On the left navigation, select Users > All Users
  3. Select Multi-Factor Authentication, on the menu across the top (located after Reset Password)
  4. A new page will open that displays the user name and MFA user status

How to Get a Report of Users and Their MFA Status Using CoreView

  • Log in to CoreView
  • Under Analyze Tab --> Go to Users Report 
  • Under columns choose 'Multifactor auth state' and click on apply:
  • The column 'Multifactor auth state' will indicate if the user has MFA enabled, enforced or disabled.


To learn more kindly refer to the Link - How To check MFA of a User

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article