How to check a user's MFA status

  • Last update on October 3rd, 2023

Problem Statement:

How do I check if a user has MFA enabled and who enabled it using CoreView

Solution:

In this article, we will understand how to verify 

  1. If MFA is enabled from the Azure Portal
  2. If MFA is enabled using CoreView 
  3. Who made the MFA update for a User using CoreView 

If you want to know how to configure MFA then kindly refer to the KB article - How to enable MFA

1. How to check if MFA is enabled from the Azure Portal

To view and manage user states, complete the following steps to access the Azure portal page:

  • Sign in to the Azure portal as a Global administrator.
  • Search for and select Azure Active Directory, then select Users > All users.
  • Select Per-user MFA.
  • A new page opens that displays the user state, as shown in the following example.

To learn more about MFA status of a User kindly refer the MSDN article: View the MFA Status of a User

2. To see if a user has MFA enabled using CoreView follow below steps:

  • Log in to CoreView
  • Under Reports Tab --> Select Users (As shown below in the screenshot)
  • Under columns choose 'Multifactor auth state' and click on apply:
  • The column 'Multifactor auth state' will indicate if the user has MFA enabled, enforced or disabled.

Key Terminologies:

  • Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
  • Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.
  • Disabled: This is the default state for a new user that has not been enrolled in MFA.

3. To find who made the changes:

  1. If the MFA was enabled through CoreView, you can see the details from the audit logs (Refer below screenshot). 

    Here you can apply a filter on the Action column or Created on column to find the desired output:
  2. If the changes were made through M365/Azure, then you can find the details from Audit Tab. Please follow the below steps:
  • Apply filter on 'Operation Column' with value “Enable Strong Authentication
  • Change the Date Range as per your requirement:
  • This will show details of the users with MFA and who made the changes

Key Terminologies:

User ID: User who performed the action
Object ID: User on whom the action was performed