Critical

Administrators Without MFA

Q: Why does it matter?

What this means One or more administrator accounts do not have MFA enabled. Admin accounts have elevated privileges and are the most targeted accounts in any organisation. Why is it a security risk? A compromised admin account without MFA gives an attacker immediate, privileged access to your tenant — they can create backdoors, export data, and modify security settings. Admin accounts are specifically targeted in spear-phishing campaigns because of their high value. This is flagged as Critical because it combines two risk factors: high-privilege access and missing MFA protection. Recommended next steps Immediately enable MFA for all admin accounts. This is Microsoft's #1 security recommendation . Create a Conditional Access policy that requires MFA for all directory roles . For the highest-privilege roles (Global Admin, Privileged Role Admin), require phishing-resistant MFA (FIDO2 or Windows Hello). Ensure your emergency access accounts have MFA configured separately (e.g., FIDO2 key in a safe).

Checks if administrator accounts have MFA enabled

Category: Authentication
Default severity: Critical
Rule key: CHECK_ADMIN_MFA
Last updated: February 5, 2026

Why this matters

What this means

One or more administrator accounts do not have MFA enabled. Admin accounts have elevated privileges and are the most targeted accounts in any organisation.

Why is it a security risk?

A compromised admin account without MFA gives an attacker immediate, privileged access to your tenant — they can create backdoors, export data, and modify security settings.
Admin accounts are specifically targeted in spear-phishing campaigns because of their high value.
This is flagged as Critical because it combines two risk factors: high-privilege access and missing MFA protection.

Recommended next steps

Immediately enable MFA for all admin accounts. This is Microsoft's #1 security recommendation.
Create a Conditional Access policy that requires MFA for all directory roles.
For the highest-privilege roles (Global Admin, Privileged Role Admin), require phishing-resistant MFA (FIDO2 or Windows Hello).
Ensure your emergency access accounts have MFA configured separately (e.g., FIDO2 key in a safe).

How to fix it

Require MFA for all administrator accounts immediately

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
User.Read.All
UserAuthenticationMethod.Read.All
Policy.Read.All

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →