Microsoft highly recommends securing your Active Directory and Microsoft 365 through the setup of multi-factor authentication.
While passwords continue to be the most common method for verifying a user's identity, they are highly susceptible to cyberattacks such as phishing and password spraying.
By enabling multi-factor authentication (MFA), you're adding an extra layer of security. This requires at least two verification methods, effectively blocking potential attackers from gaining access to your systems and preventing serious financial and operational damage.
In this article, we'll guide you through the process of enabling MFA via Entra ID and the CoreView portal.
You can activate multi-factor authentication in Entra ID through several methods, each one tailored to your specific scenario and the type of Microsoft 365 license you hold.
This traditional method requires two-step verification for each enabled user every time they sign in. Enabling a user bypasses any conditional access policies that could affect that user. While this method is favored for individual changes, Microsoft now advises against it for managing an entire organization, as it can be time-consuming and prone to errors.
For more information, please refer to the “Enable per-user Microsoft Entra multi-factor authentication” Microsoft article.
In late 2019, Microsoft released security defaults to help protect organizations from identity-related attacks. These preconfigured security settings include enabling multi-factor authentication for all admin and user accounts. Microsoft is currently working on making these security defaults accessible to all license subscriptions. Depending on the creation date of your tenant, security defaults might already be activated. If not, they must be enabled in the Entra ID portal.
To learn more about security defaults, please refer to the Turn on multifactor authentication in Microsoft and Set up multifactor authentication for Microsoft 365.
This is a more flexible approach for requiring two-step verification and is the method recommended by Microsoft. It only works for Microsoft Entra MFA in the cloud, though, and Conditional Access is a paid feature of Microsoft Entra ID.
You can create Conditional Access policies that apply to groups as well as individual users. High-risk groups can be given more restrictions than low-risk groups, or two-step verification can be required only for high-risk cloud apps and skipped for low-risk ones. Entra ID P2 licenses add risk-based Conditional Access that can adapt to user patterns, tracking normal behavior to minimize multi-factor authentication prompts that aren’t deemed necessary.
To learn more about conditional access policy and how to create one, refer to the Create a Conditional Access policy article.
The process described below is not applicable to enabling MFA via a Conditional Access policy.
It's important to note that enabling MFA for a user doesn't automatically enforce MFA. It will only be activated once the user completes the MFA process during their next sign-in to the Microsoft 365 webpage or app.
Microsoft Entra uses various terms to display the multi-factor authentication (MFA) status for each user. These user status indicators are shown in the Entra ID portal and are turned off by default.
There are three different MFA states:
Please note, in the context of enforced MFA user status, certain older non-browser applications, such as Office 2010 or earlier versions, may not support modern authentication protocols. To facilitate MFA for user accounts within these applications, while Entra ID multi-factor authentication remains active, app passwords can serve as an alternative to the user's regular credentials.
To check whether MFA is enabled for a user using CoreView, please refer to the following article: How to check a user's MFA status.
Sometimes, you might see a situation where “Enabled” and “Enforced” states seem to act the same. This means the user has MFA turned on and can use it, but their state still shows as “Enabled” instead of “Enforced”.
This can happen if you turn off MFA for users after they've finished the registration process, and then turn MFA back on. The registered authentication method is still there, but the user didn't go through the MFA registration process again.
To change the user status to “Enforced”, you have two options:
You can turn on multi-factor authentication in Entra ID in several ways. The best method for you depends on your situation and the type of Microsoft 365 license you have.
To begin, ensure that the Microsoft Graph module is installed on your machine:
Use the following command to authenticate and connect to Microsoft Graph:
Follow the on-screen instructions to complete the sign-in process.
Obtain the user information by retrieving the user’s ID or principal name:
Configuring multi-factor authentication (MFA) often involves managing authentication methods through Entra ID or Conditional Access Policies. While specific MFA enabling commands might not be directly available through Microsoft Graph PowerShell yet, you can use the Microsoft Entra portal to configure these policies effectively.
For more details, please refer to the link: How to check a user's MFA status.