Carmine Punella, a Microsoft Certified Professional, is renowned for his C# expertise, contributions to the Windows 8 App Hall of Fame, and extensive experience in designing scalable, reliable cloud-based platforms.
How can you check if a user has MFA enabled and who enabled it?
From the “Columns” dropdown, check “Multifactor auth state” and click “Apply”:
The column “Multifactor auth state” will indicate if the user has MFA enabled, enforced or disabled.
MFA Status Definitions: Enabled vs Enforced vs Disabled
Enabled: the user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
Enforced: the user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Entra ID MFA.
Disabled: this is the default state for a new user that has not been enrolled in MFA.
3. Audit MFA Changes: See Who Enabled or Disabled MFA
If the MFA was enabled through CoreView, you can see the details from in Audit logs.
Here you can apply a filter on the “Action” or “Created on” columns to find the desired output:
If the changes were made through Microsoft 365, then you can find the details from Microsoft 365 Audit log. Please follow the steps below:
Navigate to “Audit > Microsoft 365”
Apply the filter “Enable Strong Authentication” on the “Operation” column.
Change the date range as per your requirement:
This will show details of the users with MFA and who made the changes.
