How to verify that users are set up for mandatory MFA

This topic covers steps to verify that users in your organization are set up to meet requirements to use MFA to sign in to Microsoft admin portals. For more information about which applications and accounts are affected and how the rollout works, see Planning for mandatory multifactor authentication for Azure and other admin portals.

Verify MFA for a personal account

A user might use their personal account to create a Microsoft Entra tenant for only a few users. If you used your personal account to subscribe to Azure, complete the following steps to confirm that your account is set up for MFA.

1. Sign in to your Microsoft account Advanced security options.
2. Under Additional security and Two-step verification choose Turn on.
3. Follow the instructions shown on the screen.

For more information, see How to use two-step verification with your Microsoft account.

Find users who sign in with and without MFA

Use the following resources to find users who sign in with and without MFA:

• To export a list of users and their authentication methods, use PowerShell.
• If you run queries to analyze user sign-ins, use the application IDs of the applications that require MFA.

Verify MFA enablement

All users who access admin portals and Azure clients that require MFA must be set up to use MFA. Mandatory MFA isn't restricted to privileged roles. As a best practice, all users who access any administration portal should use MFA.

Use the following steps to verify that MFA is set up for your users, or to enable it if needed.

1. Sign in to Azure portal as a Global Reader.

2. Browse to Identity > Overview.

3. Check the license type for the tenant subscription.

4. Follow the steps for your license type to verify MFA is enabled, or enable it if needed. To complete these steps, you need to sign out as a Global Reader, and sign back in with a more privileged role.

   • Microsoft Entra ID P1 or Microsoft Entra ID P2
   • Microsoft 365 or Microsoft Entra ID Free

Verify MFA is enabled for Microsoft Entra ID P1 or Microsoft Entra ID P2 license

If you have a Microsoft Entra ID P1 or Microsoft Entra ID P2 license, you can create a Conditional Access policy to require MFA for users who access Microsoft admin portals:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Policies.
3. Select New policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Assignments, select Users or workload identities.
6. Under Include, select All users, or a group of users who sign in to the applications that require MFA.
7. Under Target resources > Cloud apps > Include, Select apps, select Microsoft Admin Portals.
8. Under Access controls > Grant, select Grant access, Require authentication strength, select Multifactor authentication, and select Select.
9. Confirm your settings and set Enable policy to Report-only.
10. Select Create to create to enable your policy.

For more information, see Common Conditional Access policy: Require multifactor authentication for admins accessing Microsoft admin portals.

Verify MFA is enabled for Microsoft 365 or Microsoft Entra ID Free

If you have a Microsoft 365 or Microsoft Entra ID Free license, you can enable MFA by using security defaults. Users are prompted for MFA as needed, but you can't define your own rules to control the behavior.

To enable security defaults:

1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.
2. Browse to Identity > Overview > Properties.
3. Select Manage security defaults.
4. Set Security defaults to Enabled.
5. Select Save.

For more information about security defaults, see Security defaults in Microsoft Entra ID.

If you don't want to use security defaults, you can enable per-user MFA. When you enable users individually, they perform MFA each time they sign in. An Authentication Administrator can enable some exceptions. To enable per-user MFA:

1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.
2. Browse to Identity > Users > All users.
3. Select a user account, and click Enable MFA.
4. Confirm your selection in the pop-up window that opens.

After you enable users, notify them by email. Tell the users that a prompt is displayed to ask them to register the next time they sign in. For more information, see Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.

Related content

Review the following topics to learn more about MFA:

• Planning for mandatory multifactor authentication for Azure and other admin portals
• Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication
• Secure sign-in events with Microsoft Entra multifactor
• Plan a Microsoft Entra multifactor authentication deployment
• Phishing-resistant MFA methods
• Microsoft Entra multifactor authentication
• Authentication methods