Customer multifactor authentication statistics

  • Article

This article describes extended security best practices for setting up multifactor authentication (MFA) on your customers' tenants.

The Customer MFA statistics page in Partner Center offers an aggregate view of your customers' tenant security. This resource empowers you with the data to take proactive measures to help ensure MFA compliance across all customer accounts and fortify defenses against potential compromises.

To learn more about the importance of implementing good security practices, such as MFA and modern authentication protocols, to help prevent attacks, see Security at your organization. That article describes how to assess the security of your partner tenants and identify areas where you need to take action.

Open the page

Go to Customer MFA statistics.

The page highlights key information about your customers' MFA security posture in a table that has these columns:

  • Customer: The customer's name.
  • Admins with MFA enabled: The number of admins in the customer's tenant who have MFA enabled.
  • Non-admins with MFA enabled: The number of non-admin users in the customer's tenant who have MFA enabled.
  • Total Users: The total number of users in the customer's tenant.

You can search for statistics of a specific customer by using the Search box.

Screenshot of the page for customer multifactor authentication, showing a list of customers and their MFA status.

Manage a customer's MFA security posture

To enable MFA for your customers, you should have the appropriate granular delegated admin privileges (GDAP) role.

To enable MFA for a customer by using the command bar:

  • Select the customer, and then select either Manage security defaults or Manage conditional access.

    Screenshot of the page for customer multifactor authentication, showing a list of customers with a single customer selected.

To show all users associated with a customer:

  • Select the customer, and then select View all users.

    The MFA score calculations appear, including for users who have disabled accounts. We recommend that you delete all users who have disabled accounts if they're not needed.

Alternately, if you have GDAP permissions on the customer tenant with an appropriate admin role, you can sign in to the Microsoft Entra admin center on behalf of the customer (also known as Admin on Behalf of or AOBO).

Configure security defaults

We strongly recommend that you enable security defaults unless you've implemented other security protections for your Cloud Solution Provider (CSP) tenant that include MFA, such as Conditional Access.

To configure security defaults in your customer's directory, you must be assigned at least the Security Administrator role. If you don't have the appropriate admin role, work with your customer so that a user in that organization who has the appropriate admin role can sign in to the Microsoft Entra admin center for their tenant to set up MFA.

To enable security defaults:

  1. Select a customer from the customer list.

  2. Select Service Management.

  3. Under Administer Services, select Microsoft Entra ID.

  4. Sign in to the Microsoft Entra admin center by using the appropriate GDAP role.

  5. Go to Identity > Overview > Properties.

  6. Select Manage security defaults.

  7. On the Security defaults pane, select Enabled (recommended) in the box, and then select Save.

    Screenshot that shows selections for enabling security defaults.