Non-Human Identities with No MFA Configured

Detects non-human identities (NHIs), such as Service Accounts or Shared Mailboxes, that do not have Multi-Factor Authentication (MFA) enabled on all compatible identity sources.

MFA requires an account owner to provide something they know, like a password or PIN, or something they have, like an out-of-band device or a one-time password provider. Organizations should require all NHIs to configure and utilize MFA when accessing the system to protect these accounts against possible attacks, especially since they often have elevated privileges or access to critical resources.

NHIs will not fail this check if they fall within the grace period of 1 day(s).

You can add known NHI domains and logins to either an ignore or include list.

Recommended Actions

Enforce and enable MFA on non-human identities whenever possible. Appropriately categorize NHIs that intentionally lack MFA configuration for easy detection and consider implementing other solutions, such as expired passwords, to block access to NHIs that cannot have MFA configured.

Shared Mailboxes that are failing this check have interactive sign-in's enabled. We recommend blocking interactive sign-in's for these mailbox accounts to eliminate the need for a second form of authentication to secure them.

Default Check Settings

Grace period for new accounts (days): 1

Compatibility

Microsoft Entra ID, Okta, Duo, Google Workspace, GitHub