Audit Report for 2FA enabled accounts

Question

Azure MFA status not updating in O365. Azure Conditional access users default to disabled in O365. I Need to run a report for an IS audit to show 2FA is enabled for all accounts. Powershell scripts pull from O365 but show disabled for Conditional Access users. I have to physically go into O365 and change even though all users go through MFA Authentication Registration as a New Hire.

How can I run a report from Azure or Intune to show all accounts are 2FA enabled?

Answer 1

If you are using CA policies for MFA, the "status" fields you report on via the MSOL cmdlets will not get updated, that's the expected behavior. You can use the Graph API endpoints to report on which users have "registered" their methods: https://learn.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http

Other than that, educate your auditors about CA policies and such...

Answer 2

@ALG719 There is really no concrete concept of being enabled for mfa - other than per user mfa status being set to "Enabled" / "Enforced"
Since Conditional Access and per user MFA are two different means of getting users to register for MFA, not seeing MFA status as enabled in O365 portal for CA users is expected .

You can use MSGraph API to shows that all users are already registered for MFA and they will be able to perform MFA should there be a need for it.

To change the MFA status to enabled, the admin can run a PowerShell script https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#change-state-using-powershell

The following Graph Query would give you the number of users in your tenant who are capable of performing MFA. :
https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=isMfaRegistered eq true