Authentication

User authentication and MFA settings

14 findings in this category.

• Critical Administrators Without MFA Checks if administrator accounts have MFA enabled
• Medium Authentication strength not configured Checks whether authentication strength policies are used in Conditional Access to require phishing-resistant authentication methods for sensitive applications.
• Medium Conditional Access policies stuck in report-only Detects Conditional Access policies that have been in report-only mode for more than 30 days without being enforced.
• Low Disabled Conditional Access policies Identifies Conditional Access policies that are in the "disabled" state and may indicate abandoned or obsolete protection.
• Medium Federated domains in use Detects domains using federated authentication (ADFS or third-party IdP).
• High Legacy Authentication Usage Detects usage of legacy authentication protocols
• Critical No CA policy enforces MFA for all users No enabled Conditional Access policy requires MFA (or an authentication strength) for the "All users" scope, and Security Defaults is not enabled.
• Medium No CA policy enforces sign-in frequency No enabled Conditional Access policy configures a sign-in frequency session control, meaning tokens may remain valid indefinitely.
• High No CA policy requires compliant or hybrid-joined devices No enabled Conditional Access policy enforces device compliance or hybrid Azure AD join for access.
• High No Conditional Access policy uses sign-in risk signals The tenant has Entra ID P2 but no enabled Conditional Access policy consumes sign-in risk levels. Risky sign-ins (anonymous IP, unfamiliar location, token replay) go unchallenged.
• High No Conditional Access policy uses user-risk signals The tenant has Entra ID P2 but no enabled Conditional Access policy consumes user-risk levels from Identity Protection. Compromised accounts therefore trigger no automated response.
• Critical Tenant security baseline check Evaluates whether the tenant has baseline identity protection via either Security Defaults or Conditional Access policies.
• High Users Without MFA Identifies users who do not have Multi-Factor Authentication enabled
• High Weak MFA methods enabled (SMS or Voice) SMS and voice-call MFA are enabled in the authentication methods policy. These factors are vulnerable to SIM-swap, interception and social engineering attacks.