Weak MFA methods enabled (SMS or Voice)
SMS and voice-call MFA are enabled in the authentication methods policy. These factors are vulnerable to SIM-swap, interception and social engineering attacks.
How to fix it
Disable SMS and voice authentication. Move users to phishing-resistant methods: FIDO2 security keys, Passkeys, Windows Hello for Business, or Microsoft Authenticator with number matching.
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Policy.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →