No CA policy enforces MFA for all users
No enabled Conditional Access policy requires MFA (or an authentication strength) for the "All users" scope, and Security Defaults is not enabled.
How to fix it
Create a Conditional Access policy that requires MFA for all users (or for all admins at minimum). Alternatively, enable Security Defaults for small tenants without CA licensing.
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Policy.Read.AllDirectory.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →