MFA status is based on a user registering for MFA. The following are true for an accurate MFA reading to show as "On" within CloudRadial:
- MFA should be on, enabled, and enforced within M365
- The user must have completed signup
In order to obtain MFA status information from Microsoft, a client tenant requires an Azure Active Directory P1 license or similar in the client's tenant. It appears that MFA information is available for all client users if there is at least one license for the client.
It is not dependent on being assigned to a particular user. If you don't have the Azure P1 license, the client will receive the following error message under 365 MFA messages:
Neither tenant is B2C or tenant doesn't have premium license
If you assign a P1 license (or a trial) to the client's tenant, it may take a few days for the information to become accessible during the CloudRadial scan.
Once the information is available from Microsoft, it will automatically be applied in the tenant on the next Office sync cycle. Syncing with Office 365 is done automatically every night. Or, you can run a manual sync on the client that will pull the most information. Use the Sync button when viewing a client under Partner > Clients. Note that this is not to pull MFA information, but just to refresh the call to the information from Microsoft.
If you do not want to setup an Azure P1 license for a client, you can edit the client to disable the MFA column on most reports.
Excluded Users
CloudRadial does not process MFA information for Excluded Users. Users can be excluded because of they have been explicitly excluded or because they don't have a license (and unlicensed users are excluded). If you have service accounts for which you want to pick up MFA information, but not want to include all users without a license, you can assign a free license to the account to allow CloudRadial to import and report.
Advanced MFA Status Debugging
CloudRadial doesn't make any particular checks to specific Office 365 tenants to access MFA information. Instead, it queries the Microsoft Graph API to find out the status of users.
- You can see exactly the same thing that CloudRadial uses to get the MFA information via this link:
https://docs.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http - You can experiment with it at:
https://developer.microsoft.com/en-us/graph/graph-explorer
If you're running into issues with MFA display being inaccurate, be sure to check and see if it's an issue with Microsoft misreporting it. You can do so using the links above, but the specific instructions on how to check are listed below.
Using the Graph API Explorer
- Visit https://developer.microsoft.com/en-us/graph/graph-explorer
- Select the Sign in to Graph Explorer option on the left-hand side
- Sign in using an admin account for the given tenant you're testing.
- Sign in using an admin account for the given tenant you're testing.
- Select the 3-dot Menu next to your name on the left and select Select permissions
- A right-hand pane will open.
- Search for reports and find the dropdown with the Reports.Read.All selection
- Select the Reports.Read.All and select the Consent button
- This will prompt you to re-sign in with an admin account for that Microsoft tenant.
- This step ensures that you can see the MFA information as you test it out.
- Once the permissions are set, enter the exact following snippet into the top query line:
- Press the Run query button once it's pasted into the box
The results of MFA status of users in the organization will display in the box below. CloudRadial reports MFA as on or off depending on the status that it receives from the Graph API from the "isMfaRegistered" line.
- false = No
- true = Yes
If you spot an inconsistency between the Graph API and CloudRadial, you can submit a ticket at support@cloudradial.com for further investigation.
If the MFA status is not displaying correctly from the Microsoft side, you will need to log a ticket with them to determine why the information isn't propagating correctly.
Comments
0 comments
Article is closed for comments.