High

Users Without MFA

Q: Why does it matter?

What this means Users were found that do not have any Multi-Factor Authentication (MFA) method registered. This means they authenticate with only a password — a single factor that can be phished, guessed, or stolen. Why is it a security risk? Microsoft reports that MFA blocks 99.9% of account compromise attacks . Accounts without MFA are the lowest-hanging fruit for attackers. Credential leaks from third-party breaches are common — if the user reuses passwords, their Entra ID account is immediately at risk. Without MFA, phishing attacks only need to capture a single password to gain full access. Recommended next steps Enable Microsoft Entra MFA for all users via Conditional Access or Security Defaults. Use the Authentication methods activity report to track registration progress. Consider Authentication Strengths to require phishing-resistant methods (FIDO2, Windows Hello) for sensitive roles. Run a registration campaign using the nudge feature to prompt users to set up the Authenticator app.

Identifies users who do not have Multi-Factor Authentication enabled

Category: Authentication
Default severity: High
Rule key: CHECK_MFA_DISABLED_USERS
Last updated: February 5, 2026

Why this matters

What this means

Users were found that do not have any Multi-Factor Authentication (MFA) method registered. This means they authenticate with only a password — a single factor that can be phished, guessed, or stolen.

Why is it a security risk?

Microsoft reports that MFA blocks 99.9% of account compromise attacks. Accounts without MFA are the lowest-hanging fruit for attackers.
Credential leaks from third-party breaches are common — if the user reuses passwords, their Entra ID account is immediately at risk.
Without MFA, phishing attacks only need to capture a single password to gain full access.

Recommended next steps

Enable Microsoft Entra MFA for all users via Conditional Access or Security Defaults.
Use the Authentication methods activity report to track registration progress.
Consider Authentication Strengths to require phishing-resistant methods (FIDO2, Windows Hello) for sensitive roles.
Run a registration campaign using the nudge feature to prompt users to set up the Authenticator app.

How to fix it

Enable MFA for all users, especially those with privileged access

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
User.Read.All
UserAuthenticationMethod.Read.All

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →