Missing MFA for Non-Privileged Account

Multi-Factor Authentication (MFA), or previously Two-Factor Authentication (2FA), provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts.

When an attacker obtains a user password by any method, MFA blocks authentication by requesting an additional factor such as a time-expiring code from a mobile application, a physical token, a biometric feature, etc.

This Indicator of Exposure alerts you when an account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk. However, this Indicator of Exposure cannot report on whether or not Microsoft Entra ID enforces MFA as Conditional Access Policies may require MFA depending on dynamic criteria.

See also the related IOE, "Missing MFA for Privileged Account", for privileged accounts.

All reported users must register MFA methods and have MFA enforced to increase their protection against password attacks.

For Microsoft Entra ID, Microsoft offers a Conditional Access Policy template called Require MFA for all users. This policy prompts users to register an MFA method the first time they authenticate following MFA enforcement. We recommend that you follow the "Plan a Conditional Access deployment" Microsoft documentation.

Name: Missing MFA for Non-Privileged Account

Codename: MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT

Severity: Medium