Security at your organization: Multifactor authentication statistics

When an account is compromised, attackers can gain access to sensitive information and cause real harm. Organizations can prevent many attacks by implementing good security practices, such as using multifactor authentication (MFA) at sign-in and requiring modern authentication protocols that resist phishing. We've found that more than 99.9% of compromised accounts don't have MFA, which leaves them vulnerable to password spray, phishing, and password reuse.

To help you understand how well your tenant is secured and where you need to take action, Partner Center includes an MFA reporting page that's titled Security at your organization. This page provides valuable insights that can help you take timely action to enable MFA for all your users, so that your environment is as secure as possible.

Opening the page

To open Security at your organization in Partner Center, you can either:

• Go to the MFA statistics page.
• Go to the Security requirements dashboard, go to the Insights column, and select the More insights link.

The following screenshot shows an example of the page.

Summary

The top of the Security at your organization page contains the following summary boxes:

• MFA Status: Shows whether your tenant is MFA protected (Complete) or not protected (Incomplete). A user who has the Tenant Administrator role in Microsoft Entra ID can act on enabling MFA by selecting Require MFA for all administrator logins.
• Admins with MFA enabled: Shows how many admins in a tenant have MFA enabled out of the total number of admins in the tenant.
• All users with MFA enabled: Shows how many users in a tenant have MFA enabled out of all users in the tenant, including admin users.
• Points achieved: Shows how many points your tenant has achieved for the requirement Require MFA for Admin roles toward your overall security score. You can also view this information on the Security requirements dashboard.

MFA details

The MFA details section has two charts:

• Admins MFA registration: Displays the subset of admins who are covered by a policy but haven't registered their device for MFA, the subset of admins who have MFA enabled, and the subset of admins who don't have MFA enabled.
• All users MFA registration: Displays the subset of users who are covered by a policy but haven't registered their device for MFA, the subset of users who have MFA enabled, and the subset of users who don't have MFA enabled.

MFA policy details

The MFA Policy Details section shows whether the following MFA policies are Enabled or Disabled for your tenant:

• Security Defaults (recommended)
• Conditional Access Policies
• Legacy Per-User MFA (that is, for each individual user account; not recommended)

To learn more details about the policies, policy coverage, and how to enable them, see Multifactor authentication for Microsoft 365.