Understanding Multifactor Authentication (MFA) reports in CoreView

  • Last update on March 28th, 2024

Multifactor Authentication (MFA) adds an extra layer of security to the user authentication process, requiring users to verify their identity through multiple methods before accessing online services. In the context of CoreView, understanding how MFA is enforced and reported is critical for maintaining robust security measures. This article explores the two primary ways MFA can be enforced and how these are reflected within CoreView reports and dashboards.

Methods of MFA Enforcement

MFA can be implemented through two distinct approaches, each with its implications for users and reporting:

1. Direct user enforcement

When MFA is directly enforced on users, they are prompted to configure one or more additional authentication methods (e.g., email, app, SMS, phone call, etc.). The chosen methods become visible in CoreView reports under the “Registered authentication methods” property column, providing administrators with a clear view of each user's authentication setup.

2. Conditional Access policy enforcement

Alternatively, MFA requirements can be dictated by Conditional Access (CA) policies, where MFA is only prompted under specific conditions defined in the policy. Currently, CoreView does not manage or report on MFA enforced through Conditional Access policies. 

This limitation means that while a user may be subject to MFA under CA conditions, CoreView reports and the Governance Center dashboard may inaccurately show the user's MFA as disabled if MFA is enforced exclusively through CA policies.

 

Deciphering CoreView reports

Understanding the terminology and data presented in CoreView reports is essential for accurately interpreting the state of MFA enforcement across your organization:

Is MFA capable

This indicates whether a user can use MFA, regardless of whether any verification methods are currently set up. 

A false status may appear if the user has configured an MFA method not accepted by the tenant policy.

 

Is MFA Registered

This confirms that a user has registered at least one verification method and indicates active MFA use.

Registered authentication methods

This lists the authentication methods authorized for MFA. Importantly, one or more authentication methods in this field do not guarantee that MFA is enforced or actively used for authentication.

Multifactor auth state

This clarifies the current MFA status for a user, with states including:

  • Enforced: the user has successfully logged in using MFA.
  • Enabled: MFA has been set up but not yet required for login.
  • Disabled: the user logs in with just their username and password.

When analyzing CoreView reports, it's crucial to remember that the platform's policy for counting users without enabled MFA does not account for MFA enforced through Conditional Access policies. This discrepancy can lead to misunderstandings regarding the actual security posture of your organization.

 

If you haven’t granted CoreView the following Graph management consents: 
“UserAuthenticationMethod.Read.All” 
“UserAuthenticationMethod.ReadWrite.All” 
some information on MFA status in CoreView may not match the same information in the Microsoft Admin Center. Ensuring these permissions are in place is crucial for accurate data synchronization and reporting.