Microsoft Entra users have a registered and enabled multifactor authentication method (MFA capable). The evaluation targets enabled accounts and identifies those lacking any usable second factor.
Risk
Without MFA, accounts are vulnerable to phishing, password spraying, and credential reuse, enabling takeover. Attackers can access mail and files, change settings, and move laterally, harming confidentiality, integrity, and availability of M365 resources.
prowler m365 --checks entra_users_mfa_capable
Recommendation
Enforce MFA for all enabled users, prioritizing phishing-resistant methods (FIDO2/passkeys/CBA) and limiting SMS/voice. Apply least privilege and require MFA for privileged roles. Require registration during onboarding and routinely review coverage to sustain defense-in-depth.
Remediation
New-MgUserAuthenticationPhoneMethod -UserId <USER_UPN> -PhoneType mobile -PhoneNumber "+15555550100"
- In the Microsoft Entra admin center, go to Entra ID > Users
- Select the user marked as not MFA capable
- Select Authentication methods > + Add authentication method
- Choose Phone number, enter the number in E.164 format (e.g., +15555550100), and select Add
- Repeat for each failing user
Source Code
Resource Type
NotDefined
References
- https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userdevicesettings
- https://www.cisa.gov/resources-tools/services/m365-entra-id
- https://azure.microsofts.workers.dev/en-us/entra/identity/authentication/howto-mfa-userstates
- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks