What is Vanta looking for?
- Vanta checks that MFA is enabled for Office365 users via the "isMfaRegistered" field from the following credentialUserRegistrationDetails endpoint from the Microsoft Graph API: https://docs.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http
How can I test this?
- Microsoft Graph Explorer can check what this endpoint is returning for users. To test this, log in to the graph explorer here and query the following endpoint: https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails
You will find the user details in the response data preview:
- If the "IsMfaRegistered" field returns false, Vanta will show that the user does not have MFA enabled for their account. Ensure that the user has MFA turned on and that it is registered for their account.
- Something that could cause "isMfaRegistered" to return false is if "Legacy MFA" is being used.
You can check and change this setting in Microsoft 365 admin center (You must be a Global admin to manage MFA):
- In the Microsoft 365 admin center, in the left navigation choose Users > Active users.
- On the Active users page, choose Multi-factor authentication.
- On the multi-factor authentication page, if you see Multi-Factor auth status as Enabled, it means you are using legacy MFA for this user. So, you need to disable it.
- To disable the legacy MFA, you need to select each user and set their Multi-Factor auth status to Disabled.
- If you use legacy MFA for users, these records cannot be retrieved via Graph API. If you want to enable MFA for your user, you need to go to the below link, and add a new method: https://mysignins.microsoft.com/security-info
- Once these settings are modified, the Graph API should return the correct MFA status for these users.