Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

MFA Registration Overview [CHK-1186]

This operational check provides a comprehensive overview of Multi-Factor Authentication (MFA) registration status across all users in your Microsoft Entra ID (Azure AD) tenant. It queries the userRegistrationDetails report endpoint to collect per-user MFA registration data and presents aggregated statistics.

Rationale

Understanding your organization's MFA adoption is critical for assessing identity security posture. This check gives visibility into how many users have registered for MFA, which authentication methods are in use, and how users are distributed across authentication strength levels. Without this insight, administrators may not be aware of gaps in MFA coverage that leave the organization vulnerable to credential-based attacks.

The check reports on:

  • Total member users, MFA registered count, MFA capable count, and not-registered count
  • Passwordless capable user count
  • Authentication method breakdown: Microsoft Authenticator, Phone, FIDO2 Security Key, Windows Hello for Business, Software OATH Token, and SMS
  • Authentication strength classification: Strong (FIDO2, Windows Hello for Business, Passkey, Certificate-Based Authentication), Medium (Authenticator, Software OATH), Weak (SMS, Phone), and None
  • Activity status: Active vs. inactive users based on a 90-day sign-in threshold
  • Guest user MFA registration breakdown

Outcomes

This is an informational check that does not produce pass/fail outcomes. It always returns data without triggering alerts. The collected data is available for review in the Attic dashboard.

Fix

This is an informational check that does not trigger alerts. No fix action is required. Use the reported data to identify users who have not yet registered for MFA and to guide your organization toward stronger authentication methods.

Impact

Regularly reviewing MFA registration status helps your organization:

  • Identify users without MFA registration and prioritize enrollment campaigns
  • Track adoption of stronger authentication methods such as FIDO2 and Windows Hello for Business
  • Detect inactive accounts that may pose a security risk
  • Monitor the balance between strong, medium, and weak authentication methods across the user base
  • Support compliance reporting by providing up-to-date MFA coverage metrics

More Information