How to check the MFA status of a user

  • Last update on August 29th, 2025

Table of Contents

How do I check if a user has MFA enabled and who enabled it?

In this article, we will explain how to verify:

  • If MFA was enabled using the Entra portal
  • If MFA was enabled using the CoreView app
  • Who updated the MFA for a user through Entra
  • Who updated the MFA for a user through CoreView

Investigating where MFA was enabled

Checking if user MFA was enabled using the Entra portal

  1. Sign in to Microsoft Entra as a Global administrator.
  2. From the side panel menu, select Users > All users.
  3. In the top bar menu, select the “Per-user MFA” report.
MS-user-MFA
  1. A new page will open. Here, you will be able to see the MFA status for each user.
MS-peruser-mfa

To learn more about user MFA, please refer to Microsoft documentation.

Checking if MFA was enabled using the CoreView app

  1. In CoreView, navigate to “REPORTS > Active users”.
CoreView Active Users
  1. From the “Columns” dropdown, check “Multifactor auth state” and click “Apply”:
CoreView user MFA
  • The column “Multifactor auth state” indicates if the user has MFA enabled, enforced or disabled:
    • Enabled: the user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
    • Enforced: the user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Entra ID MFA.
    • Disabled: this is the default state for a new user that has not been enrolled in MFA.

Finding out who made changes

If MFA was enabled on the Entra portal

If the changes were made through Microsoft 365, then you can find the details in the Microsoft 365 Audit log.

  1. Navigate to “Audit > Microsoft 365”.
CoreView MS Audit
  1. Apply the filter “Enable Strong Authentication” on the “Operation” column.
MS Audit
  1. Change the date range as per your requirement.
CoreView Audit Date Range
  1. This will show details of the users with MFA and who made the changes.

Key columns:

  • User ID: user who performed the action
  • Object ID: user on whom the action was performed

If MFA was enabled on CoreView

  1. If MFA was enabled through CoreView, you can see the details in the Audit logs.
CoreView Audit Logs
  1. Here you can apply a filter on the “Action” or “Created on” columns to find the desired output.
CoreView Audit MFA

Related Articles

DID THIS PAGE HELP YOU?