M365 2FA reports as disabled

Velvis · Mar 11, 2026

I am trying to confirm all users have 2FA setup. I recently setup 2FA for a user but inside the admin center under per-user multifactor authentication, users I know have 2FA turned on are listed as it is disabled.

Am I not looking in the right place?

Sky-Knight · Mar 11, 2026

If you have Conditional Access enabled, that entire screen should read as all users disabled.

Conditional Access can work on a per user basis, but if you're doing that... it's pretty much wrong.

If Security Defaults are enabled, MFA is enforced for admins, and enrollment is enabled for users, enforcement of MFA on users will not happen until the platform detects "risk". Which... is rather flimsy.

So you are looking in the correct place... but the question becomes what is the baseline MFA enforcement mechanism? Security Defaults or Conditional Access?

britechguy · Mar 11, 2026

Sky-Knight said:
If you have Conditional Access enabled, that entire screen should read as all users disabled.

And if Microsoft were sensible (and we all know this is often not the case) since what you say is true there would be a banner on that page directing attention to Conditional Access settings.

I hate when MS or anyone does this sort of thing. The humans that administer this stuff, and particularly those who are new to the platforms, are not likely to know every nook and cranny and why something that seems like it should be enabled curiously is not.

Sky-Knight · Mar 11, 2026

britechguy said:
And if Microsoft were sensible (and we all know this is often not the case) since what you say is true there would be a banner on that page directing attention to Conditional Access settings.

I hate when MS or anyone does this sort of thing. The humans that administer this stuff, and particularly those who are new to the platforms, are not likely to know every nook and cranny and why something that seems like it should be enabled curiously is not.

There is... when it's enabled the banner is present.

britechguy · Mar 11, 2026

Sky-Knight said:
when it's enabled the banner is present.

Which, I guess, tells us that Conditional Access is not enabled in this specific situation. Good to know.

Sky-Knight · Mar 11, 2026

britechguy said:
Which, I guess, tells us that Conditional Access is not enabled in this specific situation. Good to know.

Correct, but you're not wrong about it being confusing...

Tangentially related and equally absurd... If you take the AZ 104 exam, you're going to see a question that shows a screen shot of the properties of a virtual NIC. That screen shot is going to be missing a WAN IP address. And you're supposed to know from that information, the VM is turned off.

Never mind that you had to click two screens past the VM's dedicated UI window that clearly says Stopped, or Stopped (Deallocated) to get to that screen typically. But they actually TEST YOU on that minutia.

This is what it means to administrate a cloud environment. Yes, the UI stinks... but it's literally on the test... so get a helmet. M365 isn't a small system, and knowing it isn't optional if you want to work in this space.

britechguy · Mar 11, 2026

@Sky-Knight

There is a very good reason, at an age past 60, that I have removed myself from this arena of the profession. "That space" is one I avoid like the plague.

God bless you and others who have the tolerance for it. I certainly no longer do.

thecomputerguy · Mar 11, 2026

Sky-Knight said:
If you have Conditional Access enabled, that entire screen should read as all users disabled.

Conditional Access can work on a per user basis, but if you're doing that... it's pretty much wrong.

If Security Defaults are enabled, MFA is enforced for admins, and enrollment is enabled for users, enforcement of MFA on users will not happen until the platform detects "risk". Which... is rather flimsy.

So you are looking in the correct place... but the question becomes what is the baseline MFA enforcement mechanism? Security Defaults or Conditional Access?

Flimsy is very generous.

I've tested it. I was able to login without MFA on a user account in California and then again minutes later in a different state.

Sky-Knight · Mar 11, 2026

thecomputerguy said:
Flimsy is very generous.

I've tested it. I was able to login without MFA on a user account in California and then again minutes later in a different state.

Yes, the only time I've seen it trigger is when someone tries to enroll a new authenticator, change the password, or configure an email forward.

To work around this, you Enable Security Defaults, Go configure your Authentication Methods in Azure and set the Authentication Migration to in progress, then you can go back to the single user MFA screen, and set them all to enforce.

This gets you where you want to go without having to license Conditional Access policy, however I highly recommend you license Conditional Access policy. Per User MFA works, but it's failure prone. CA means I configure authentication for the tenant once, and forever and more everyone is subject to those rules.

Set it once.
Test it once.
Defend the tenant forever.

Or... continue manually flipping switches and pray you don't miss one... which will happen... 100% of tenants in this configuration will be compromised due to configuration error. Such is the nature of human error.

M365 2FA reports as disabled

Velvis

Well-Known Member

Sky-Knight

Well-Known Member

britechguy

Well-Known Member

Sky-Knight

Well-Known Member

britechguy

Well-Known Member

Sky-Knight

Well-Known Member

britechguy

Well-Known Member

thecomputerguy

Well-Known Member

Sky-Knight

Well-Known Member

Similar threads