March 10, 2025
|
6
min read
Carmine Punella
Carmine Punella, a Microsoft Certified Professional, is renowned for his C# expertise, contributions to the Windows 8 App Hall of Fame, and extensive experience in designing scalable, reliable cloud-based platforms.
Multiple Factor Authentication MFA

Problem

How do I check if a user has MFA enabled and who enabled it using CoreView?

Solution

In this article, we will understand how to verify

  1. If MFA is enabled from the Entra portal.
  2. If MFA is enabled using CoreView
  3. Who has updated the MFA for a user through CoreView

If you want to know how to configure MFA please refer to the “How to enable MFA” article.

1. Checking if user MFA is enabled on the Entra portal

To view and manage user states, complete the following steps to access the Entra portal page:

  • Sign in to Microsoft Entra as a Global administrator
  • From the side panel menu, select Users > All users
  • In the top bar menu, select the “Per-user MFA” reporA new page will open. Here you will be able to see the MFA status for each user.
If Users are MFA screenshot
  • A new page will open. Here you will be able to see the MFA status for each user.
Per-user multifactor authentication

To learn more about user MFA, please refer to Microsoft documentation.

2. Checking if user MFA is enabled on CoreView

  • Open the CoreView app and login
  • Navigate to the “Active users” reports
Active Users
  • From the “Columns” dropdown, check “Multifactor auth state” and click “Apply”:
Multifactor auth state
  • The column “Multifactor auth state” will indicate if the user has MFA enabled, enforced or disabled.

Key terminologies:

  • Enabled: the user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
  • Enforced: the user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Entra ID MFA.
  • Disabled: this is the default state for a new user that has not been enrolled in MFA.

3. Finding out who made changes

  • If the MFA was enabled through CoreView, you can see the details from in Audit logs.
Audit Logs

Here you can apply a filter on the “Action” or “Created on” columns to find the desired output:

Columns screenshot

If the changes were made through Microsoft 365, then you can find the details from Microsoft 365 Audit log. Please follow the steps below:

  • Navigate to “Audit > Microsoft 365
Audit Screenshot
  • Apply the filter “Enable Strong Authentication” on the “Operation” column.
Operation Column
  • Change the date range as per your requirement:

This will show details of the users with MFA and who made the changes

Key terminologies:

User ID: User who performed the action
Object ID: User on whom the action was performed

Get a personalized demo today

Created by M365 experts, for M365 experts.