Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Users Not Covered by MFA Policies [CHK-1187]

This check identifies users in your Microsoft Entra ID tenant who are not covered by any Multi-Factor Authentication (MFA) Conditional Access policy. It goes beyond basic Conditional Access analysis by resolving group memberships and evaluating policy overlaps to determine actual user coverage. The check classifies coverage as "full" when a policy covers All cloud apps or the Office 365 scope, and "partial" when it only covers specific applications.

Rationale

Multi-Factor Authentication is one of the most effective controls against unauthorized access and credential-based attacks. Users who are not covered by any MFA policy are significantly more vulnerable to phishing, password spraying, and brute-force attacks. A single uncovered account can serve as an entry point for attackers to move laterally within the organization. Ensuring complete MFA coverage across all active users is a fundamental security best practice recommended by Microsoft and major security frameworks.

Fix

No automated fix is available for this check. Manual steps:

  1. Open the Azure Portal and navigate to Microsoft Entra ID > Protection > Conditional Access.
  2. Review the existing MFA policies and their user and group assignments. Compare these with the uncovered users listed in the alert.
  3. Either update existing Conditional Access policies to include the uncovered users or groups, or create a new policy that targets them.
  4. Ensure that policies cover All cloud apps or at minimum Office 365 to achieve full MFA coverage rather than partial application-specific coverage.
  5. Before enabling policies in production, use Report-only mode to verify the expected impact on users.
  6. After enabling the policies, verify that the previously uncovered users are now required to perform MFA when signing in.

Impact

Extending MFA coverage to all users significantly reduces the risk of account compromise. Users who were previously uncovered will be prompted to register for and use MFA on their next sign-in. This may require communication to affected users beforehand, especially if they have not previously enrolled in MFA. There is no negative operational impact once users have completed MFA registration.

More Information

For more information about Conditional Access policies and MFA, see the Microsoft documentation on Conditional Access and the guide to planning a Conditional Access deployment.