As we know, traditional passwords aren’t secure enough anymore. So, in today’s world, MFA implementation is mandatory to meet the compliance requirements of the Microsoft 365 environment. Moreover, Multi-Factor Authentication has proven to be effective at blocking the majority of account compromises.

With MFA attacks still rising, Microsoft keeps gearing up in tuning the MFA authentication methods. To ensure the MFA enforcement in the organization, now, Microsoft has come up with the MFA registration details report and MFA registration & reset event reports. Let’s check out those reports in detail.

MFA User Registration Details Report

The user registration report lists the users who are capable of Azure Multi-factor authentication, Passwordless authentication, and Self-Service Password Reset. This report is used mainly to view the registration details of a specific user. Customization of columns and exporting of user registration details can be done.

Where Can You Obtain the MFA User Registration Details Report?

  • Log in to Azure Portal.
  • Navigate to Azure Active Directory –> Security –> Authentication Methods –> User Registration Details.

With the User Registration Report, you can track the following details:

  • UPN
  • Name
  • Multifactor authentication capable
  • Passwordless capable
  • SSPR registered
  • SSPR enabled
  • SSPR capable
  • Default Multifactor Authentication Method
  • Methods Registered
User Registration Details Report

Who are Multifactor Authentication Capable Users?

  • Users become capable when they got registered and enabled for strong authentication method in Azure AD.
  • An authentication method can be registered by either a user or admin.
  • Authentication Methods are enabled by the authentication method policy or multifactor authentication service settings.
  • The capability doesn’t reflect the users registered for MFA outside Azure AD.

Who are Passwordless Authentication Capable Users?

When users have registered and enabled at least one passwordless authentication method such as FIDO, Windows Hello for Business, or Passwordless Phone Sign-in, they fall under capable.

Who are Self-Service Password Reset Capable Users?

Self-Service capable users are those who can reset their passwords. The following two conditions must be met for users to be able to reset their password:

  • Registered enough methods to satisfy their organization’s policy for self-service password reset.
  • Option Enabled needs to be turned on to reset their password.

Find All the MFA Registered Methods by Office 365 Users

  • With this report, you can obtain a list of all second-factor authentication methods that users registered for MFA.
  • Filtering out to find MFA registration by specific method can also be done.

It includes registered methods such as Email, Mobile Phone, Alternative Mobile Phone, Office Phone, Microsoft Authentication Push, Hardware OATH token, Microsoft passwordless phone sign-in, Software One Time Passcode, FIDO2 Security key, Security question, Temporary Access Pass, Windows Hello of Business.

PowerShell Cmdlets to view MFA Registered Users

Apart from User registration details report, you can use PowerShell cmdlets to retrieve the list of users who have MFA enabled and disabled accounts.

Firstly, connect to the Microsoft User account.

Follow the below PowerShell command to get the list of users with MFA Enabled/Disabled status:

MFA Registration and Reset Event Reports

Registration and reset event report shows the registration and reset events performed in the last 30 days. Customization of columns and exporting of user registration and reset events can be made.

Why does this report matter? According to cybersecurity researchers, it has been observed that hackers tie MFA to a device they owned after compromising user accounts. In the event of compromised accounts, this report will be a great spot to examine if any new registrations and resets were made recently.

Where Can You View the MFA Registration and Reset Event Reports?

  • Log in to Azure Portal.
  • Navigate to Azure Active Directory –> Security –> Authentication Methods –> Registration and reset events.

With the Registration and Reset Event Reports, you can track the following details:

  • Date
  • UPN
  • Name
  • Activity type (Registration, Reset)
  • Method Used
  • Status
  • Failure Reason
Registration and reset event report

Get the Methods Used for MFA Registration

MFA registration and reset event reports lists what are the MFA methods registered by users along with the date, and time.

Methods used for MFA registration and reset includes Alternate mobile phone, Email, FIDO2 security key, Hardware OATH token, Microsoft Authenticator app, Microsoft Passwordless phone sign-in, Mobile phone, OATH code, Office phone, Security question, SMS, Software OATH token, Temporary access pass, Windows Hello for Business.

Limitations of MFA Registration Details and Reset Event Reports

Even though MFA Registration Details and Reset Event Reports provide great assistance, there are some notable lags too.

  • Dashboard does not display the PhoneAppNotification and PhoneAppOTP methods that a user might have configured.
  • Data in the report is not updated in real-time and may reflect a delay of a few hours.
  • Reports don’t come up with graphical representation for a better understanding.
  • Scheduling can’t be done in MFA registration reports.

I hope you found this blog useful to get to know about the recent releases on MFA Registration Details & Resets. Now, it’s time to start evaluating who has registered MFA in the organization!