Reporting Multi Factor Authentication (MFA) Information

MFA status is based on a user registering for MFA. CloudRadial gets the MFA information from the Microsoft Graph API. The old per-user MFA status (StrongAuthenticationMethods and/or StrongAuthenticationRequirements), this is not currently exposed via the Graph API therefor CloudRadial gets this from the registered authentication method. The following are true for an accurate MFA reading to show as "On" within CloudRadial:

• The User must have an authentication method registered
  • This can be found in Beta > Report > Credential > User > Registrations
• Azure Active Directory P1 license

Note: A user may have an authentication method registered, but not have MFA enabled.

In order to obtain MFA status information from Microsoft, a client tenant requires an Azure Active Directory P1 license or similar in the client's tenant. It appears that MFA information is available for all client users if there is at least one license for the client.

It is not dependent on being assigned to a particular user. If you don't have the Azure P1 license, the client will receive the following error message under 365 MFA messages:

Neither tenant is B2C or tenant doesn't have premium license

If you assign a P1 license (or a trial) to the client's tenant, it may take a few days for the information to become accessible during the CloudRadial scan.

Once the information is available from Microsoft, it will automatically be applied in the tenant on the next Office sync cycle. Syncing with Office 365 is done automatically every night. Or, you can run a manual sync on the client that will pull the most information. Use the Sync button when viewing a client under Partner > Clients. Note that this is not to pull MFA information, but just to refresh the call to the information from Microsoft. 

If you do not want to setup an Azure P1 license for a client, you can edit the client to disable the MFA column on most reports.

Excluded Users

CloudRadial does not process MFA information for Excluded Users. Users can be excluded because of they have been explicitly excluded or because they don't have a license (and unlicensed users are excluded). If you have service accounts for which you want to pick up MFA information, but not want to include all users without a license, you can assign a free license to the account to allow CloudRadial to import and report.

Advanced MFA Status Debugging

CloudRadial doesn't make any particular checks to specific Office 365 tenants to access MFA information. Instead, it queries the Microsoft Graph API to find out the status of users.

• You can see exactly the same thing that CloudRadial uses to get the MFA information via this link:
  https://docs.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http
• You can experiment with it at:
  https://developer.microsoft.com/en-us/graph/graph-explorer

If you're running into issues with MFA display being inaccurate, be sure to check and see if it's an issue with Microsoft misreporting it. You can do so using the links above, but the specific instructions on how to check are listed below.

Using the Graph API Explorer

1. Visit https://developer.microsoft.com/en-us/graph/graph-explorer
2. Select the Sign in to Graph Explorer option on the left-hand side
   • Sign in using an admin account for the given tenant you're testing.
     
     
     
3. Select Get > Beta > Ensure the url appears like this: https://graph.microsoft.com/beta/admin
   
   
   
   
4. Select the Modify Permissions option in the Request window.
5. Open the permissions panel
   
   
6. Find the Reports.Read.All and select the Consent button
   • This will prompt you to re-sign in with an admin account for that Microsoft tenant.
   • This step ensures that you can see the MFA information as you test it out.
     
     
     
     
7. Once the permissions are set, enter the exact following snippet into the top query line:
   • https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails 
8. Press the Run query button once it's pasted into the box

The results of MFA status of users in the organization will display in the box below. CloudRadial reports MFA as on or off depending on the status that it receives from the Graph API from the "isMfaRegistered" line.

• false = No
• true = Yes

If you spot an inconsistency between the Graph API and CloudRadial, you can submit a ticket for further investigation.

If the MFA status is not displaying correctly from the Microsoft side, you will need to log a ticket with them to determine why the information isn't propagating correctly. 

How to ensure the MFA status matched the authentication method

We understand that having an authentication method required does not always mean that MFA in enabled. To help we have created a powerhsell script you can run against your tenant that checks the authentication method registered, and then set's the users who have this registered to enforce MFA. 

# Install Microsoft Graph PowerShell SDK if not already installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
Install-Module Microsoft.Graph -Scope CurrentUser -Force
}

# Import Microsoft Graph Module
Import-Module Microsoft.Graph

# Connect to Microsoft Graph with the required scopes
Connect-MgGraph -Scopes "User.Read.All", "Directory.ReadWrite.All"

# Define the function to check authentication method and enforce MFA
function Check-And-Enforce-MFA {
       param (
               [string]$UserPrincipalName
)

# Get user authentication methods
        $authMethods = Get-MgUserAuthenticationMethod -UserId $UserPrincipalName

# Check if a specific authentication method is enabled (e.g., Password)
        $isPasswordEnabled = $authMethods | Where-Object { $_.OdataType -eq '#microsoft.graph.passwordAuthenticationMethod' }

        if ($isPasswordEnabled) {
                Write-Output "Password authentication is enabled for $UserPrincipalName."

# Enforce MFA (Enable and enforce)
# Note: This example assumes the user is in a conditional access policy or similar setup for MFA.
# You may need to adjust based on your specific requirements and setup.

# Enable MFA
                Write-Output "Enabling MFA for $UserPrincipalName..."
                $mfaMethods = Get-MgUserAuthenticationMethod -UserId $UserPrincipalName
                $mfaStatus = $mfaMethods | Where-Object { $_.OdataType -eq '#microsoft.graph.strongAuthenticationDetail' }

                if ($null -eq $mfaStatus) {
# MFA is not enabled, so enable it
                        $authMethod = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphStrongAuthenticationMethod
                        $authMethod.Enabled = $true
                        $authMethod.IsEnforced = $true
                        New-MgUserAuthenticationMethod -UserId $UserPrincipalName -BodyParameter $authMethod
                        Write-Output "MFA has been enabled and enforced for $UserPrincipalName."
                } else {
                        Write-Output "MFA is already enabled for $UserPrincipalName."
                }
        } else {
                Write-Output "Password authentication is not enabled for $UserPrincipalName."
        }
}

# Example usage
$UserPrincipalName = "user@example.com"
Check-And-Enforce-MFA -UserPrincipalName $UserPrincipalName

# Disconnect from Microsoft Graph
Disconnect-MgGraph