MFA status is based on a user registering for MFA. The following are true for an accurate MFA reading to show as "On" within CloudRadial:
- MFA should be on, enabled, and enforced within M365
- The user must have completed signup
In order to obtain MFA status information from Microsoft, a client tenant requires an Azure Active Directory P1 license or similar in the client's tenant. It appears that MFA information is available for all client users if there is at least one license for the client.
It is not dependent on being assigned to a particular user. If you don't have the Azure P1 license, the client will receive the following error message under 365 MFA messages:
Neither tenant is B2C or tenant doesn't have premium license
If you assign a P1 license (or a trial) to the client's tenant, it may take a few days for the information to become accessible during the CloudRadial scan. Syncing with Office 365 is done automatically every night. Or, you can run a manual sync on the client that will pull the most information. Use the Sync button when viewing a client under Partner > Clients.
If you do not want to setup an Azure P1 license for a client, you can edit the client to disable the MFA column on most reports.
CloudRadial does not process MFA information for Excluded Users. Users can be excluded because of they have been explicitly excluded or because they don't have a license (and unlicensed users are excluded). If you have service accounts for which you want to pick up MFA information, but not want to include all users without a license, you can assign a free license to the account to allow CloudRadial to import and report.
You can see exactly the same thing that CloudRadial uses to get the MFA information via this link:
You can experiment with it at:
Taking a look at these can help to diagnose if the issue is on the CloudRadial side or the Microsoft side.