Multifactor authentication is enforced for all users
entra_users_mfa_enabled
Microsoft Entra Conditional Access has an enforced policy requiring multifactor authentication for All users across All cloud apps (not just report-only).
Risk
Lacking an enforced, tenant-wide MFA mandate enables single-factor sign-ins to M365 apps. Stolen or sprayed passwords can yield access, leading to data exfiltration, unauthorized changes, and outages. Report-only or scoped policies leave gaps that undermine confidentiality, integrity, and availability.
prowler m365 --checks entra_users_mfa_enabled
Recommendation
Enforce a Conditional Access policy requiring MFA for All users and All cloud apps. Exclude only break-glass accounts, favor phishing-resistant or authenticator methods, and avoid long-term report-only. Monitor sign-ins, review coverage regularly, and apply least privilege and zero trust to minimize exceptions.
Remediation
- Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
- Go to Protection > Conditional Access > Policies > Create new policy
- Users: Include > All users (do not add exclusions)
- Target resources: Resources (cloud apps) > Include > All resources (no exclusions)
- Access controls: Grant > Grant access > check Require multifactor authentication > Select
- Enable policy: On
- Create
Source Code
Resource Type
NotDefined