Microsoft Entra uses various terms to display the multi-factor authentication (MFA) status for each user. These user status indicators are shown in the Entra ID portal and are turned off by default.
There are three different MFA states:
- Enabled: the user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
- Enforced: the user has been enrolled and has completed the MFA registration process. Users transition from the “Enabled” to “Enforced” state automatically once they register for Entra ID MFA.
- Disabled: this is the default state for a new user who has not been enrolled in MFA.
Please note, in the context of enforced MFA user status, certain older non-browser applications, such as Office 2010 or earlier versions, may not support modern authentication protocols. To facilitate MFA for user accounts within these applications, while Entra ID multi-factor authentication remains active, app passwords can serve as an alternative to the user's regular credentials.
To check whether per-user MFA has been enabled through CoreView, refer to the “How to check the MFA status of a user” article.
Confusion scenario
Sometimes, you might see a situation where “Enabled” and “Enforced” states seem to act the same. This means the user has MFA turned on and can use it, but their state still shows as “Enabled” instead of “Enforced”.
Explanation
This can happen if you turn off MFA for users after they've finished the registration process, and then turn MFA back on. The registered authentication method is still there, but the user didn't go through the MFA registration process again.
To change the user status to “Enforced”, you have two options:
- An admin can forcefully change the status to “Enforced” from the portal.
- You can ask the user to register their authentication methods again from the portal.