Audit MFA Configuration Changes

In today’s world, everyone in the organization prefers using Multi-factor Authentication (MFA) as an extra level of security beyond traditional credentials. MFA has the advantage of requiring additional verification methods other than the username and password when logging in to the Microsoft portal. For a secure experience, it is important to verify whether all users in the organization comply with the MFA configuration. As Microsoft keeps improving MFA standards, it is essential for admins to keep track of users who registered for MFA, who is not registered for MFA, and who enabled MFA for a specific user in the organization. Let’s take a look at how admins can manage MFA configurations in Azure AD. 

 

Users Who Registered for MFA 

Registering for Multifactor authentication is important in an organization as it adds an extra layer of authentication that prevent hackers from logging into your system. Users’ MFA registration can be tracked using user registration details report where admins can ensure 100% compliance across your organization. Under this report, info like users who are capable of MFA, MFA registered methods by users, and so on can be obtained. MFA capable users are those who got registered and enabled for strong authentication methods.  

Step:1 Log in to the Microsoft Azure Portal 

Step:2 Navigate to Azure Active Directory –> Security –> Authentication Methods –> User Registration details. 

User Registration Details

 

Users Who signed-in using MFA 

Since native sign-in methods of using a username and a password are vulnerable to brute force attacks, it is important to monitor the sign-ins done with and without MFA. Wondering how? Using Azure AD sign-in logs, admins can easily track the logins made using authentication methods along with details like status, date, time, application, IP address, location, etc.  

Step:1 Log into the Microsoft Azure Portal. 

Step:2 Navigate to Azure Active Directory –> Sign-in logs 

MFA Sign-in audit logs

Further, by using sign-in logs, admins can obtain information about conditional access policies settings. 

 

Reason Why MFA Registration Got Failed 

While configuring Multifactor authentication, sometimes the registration may get failed. It would be better if admins are aware of why the registration got failed. The reason for the MFA failure can be obtained from the Registration and reset events report. Further, this report also provides activity date, time, authentication methods used, etc., for better visibility. 

Step:1 Log in to the Microsoft Azure Portal. 

Step:2 Navigate to Azure Active Directory –> Security –> Authentication Methods –> Registration and reset events. 

MFA Failure Reason

Never ignore to configure Multifactor authentication, as it acts as a crucial indicator that keeps bad actors away from your valuable data.

 

Find Out Who Configured MFA for a Specific User 

Adopting MFA is a key initiative for any company regardless of size and can be one of the easiest and simplest ways to keep user accounts protected. Using Azure, it is also possible to keep track of admins who turned on MFA for specific users. During investigations, admins can gain details on users who made suspicious MFA registration using Azure audit logs.    

Step:1 Log into the Microsoft Azure Portal. 

Step:2 Navigate to Azure Active Directory –> Audit Logs.  

Step:3 Specify ‘Authentication Methods’ under the Service filter. 

Step:4 Customize the date range based on requirement and then select apply. 

Step 5: ‘Initiated by’ column will retrieve the user who turned on MFA for a specific user. 

MFA initiated user list

With the results obtained, admins can select any row in specific to view the complete audit and the details of who initiated the registration for MFA. 

I hope this blog has helped you in knowing where to find MFA enrollment and additional details in the Azure Active Directory. Feel free to drop the comments for further assistance!