Detects users with no Multi-Factor Authentication (MFA) enabled. MFA requires users to provide something you know, like a password or PIN, or something you have, like an out-of-band device or a one-time password provider. All users should be using MFA to gain access to the system.

Users will not fail this check if they fall within the grace period of 14 days.

Recommended Actions

Some system accounts may not have MFA. We recommend categorizing those for easy detection. Consider using solutions like expired passwords to block access to these accounts.

Default Check Settings:

Grace period for new accounts (days): 14

Compatibility

Microsoft Entra ID

Okta

Google Workspace

Duo

GitHub