Microsoft 365

How to Find MFA-Configured Conditional Access Policies in Microsoft 365

In modern workspaces, MFA requirement through Conditional Access plays a key role in protecting Microsoft identities and resources. But misconfigured policies can unintentionally block user access or expose vulnerabilities that attackers can exploit. This guide shows how to find MFA-configured Conditional Access policies for effective troubleshooting and precise compliance management.

Identify MFA-Enabled CA Policies Using Entra Admin Center

Microsoft 365 Permission Required

Security Reader Least Privilege

Global Administrator Most Privilege

Sign in to the Microsoft Entra admin center.
Navigate to the Conditional Access section under the Entra ID drop-down.
In Conditional Access page, switch to the Policies tab and click on Add filter.
Select the Grant Control filter with Require multifactor authentication checkbox and apply the filter.
This lists the Conditional Access policies that require MFA with details such as policy name, created by, state, creation date, and modified date.

Identify MFA-Enabled CA Policies Using Entra Admin Center

Get MFA-Configured CA Policies Using PowerShell

Microsoft 365 Permission Required

Policy.Read.All Least Privilege

Directory.ReadWrite.All Most Privilege

Connect to the Microsoft Graph PowerShell module with required permissions using the cmdlet below.

Windows PowerShell

 Connect-MgGraph -Scopes "Policy.Read.All"

Run the following cmdlet to find the Conditional Access policies that require multifactor authentication in Microsoft 365.

Windows PowerShell

 Get-MgIdentityConditionalAccessPolicy |
    Where-Object { $_.GrantControls.BuiltInControls -contains "mfa" } |
    Select-Object `
        CreatedDateTime, 
        Id, 
        DisplayName,
        State,
        @{Name = "GrantControls"; Expression = { ($_.GrantControls.BuiltInControls -join ",").ToUpper() }},
        TemplateId |
    Format-Table -AutoSize

Get MFA-Configured CA Policies Using PowerShell

The MFA-configured Conditional Access policies report provides the details, such as created date & time, policy id, display name, state, grant controls, and template ID.

Simple & Quick
View CA Policies With MFA Grant Controls Using AdminDroid 365

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to AdminDroid 365 Portal.
Navigate to the CA Policies With MFA Grant Controls report under Reports»Entra»Analytics»Require MFA Policies»Policies Requiring MFA.
This report displays all the Conditional Access policies with MFA in your Microsoft 365 with granular details, such as policy name, policy state, access controls, conditions enabled, assignment details, configured conditions summary, etc.

View CA Policies With MFA Grant Controls Using AdminDroid 365

AdminDroid 365 Analytics Tool

Gain Deeper Visibility into MFA-Based Conditional Access Policies with Unified Reporting

AdminDroid’s Entra ID Analytics tool offers powerful insights on CA policy assignments and configurations along with visibility into risky sign-ins, device usage patterns, and access trends across your Microsoft 365. With these insights, admins find the right balance between security and accessibility to safeguard identities as well as resources.

Track MFA Adoption Trends with Overview Dashboard

Monitor the MFA overview dashboard to find registered methods, analyze usage trends for privileged roles, and verify accurate MFA enforcement through Conditional Access policies.

Get Notified on Conditional Access Failed Sign-ins in Microsoft 365

Leverage the default alert policy template to report unusual volume of sign-ins blocked by Conditional Access and monitor the risky sign-ins.

Export Conditional Access Policies in Microsoft 365

View the Conditional Access policies report to track all active & report-only policies and verify applied conditions to ensure secured access control in your M365 organization.

Audit Included and Excluded Conditions for MFA based Conditional Access Policies

Check the detailed assignments for MFA enabled CA policies report to identify condition-wise targeting of users, roles, locations, etc., to ensure risk mitigation.

Find User Sign-ins Enforced with MFA Using Conditional Access Policies

Identify sign-ins configured through CA policies to track users challenged for MFA based on policy enforcement and validate secure sign-in flows.

Notify Admins About Pending MFA Enrollments Using the Pre-built Reminder Agent

Use built-in Pending MFA Activation Reminder agent to notify admins on users who haven’t enrolled for MFA to enable effective Conditional Access enforcement.

Overall, AdminDroid empowers admins with advanced capabilities to proactively monitor MFA-configured Conditional Access policies and analyze their assignments effectively. The actionable insights on sign-in prompts, enforcement sources, authentication methods, etc., enables precise tracking and strategic oversight of Microsoft 365 security policies.

Explore a full range of reporting options

Download Live Demo

Important tips

Use CA insights & reporting workbook to evaluate MFA and Conditional Access behavior on users to fine-tune policy impact on sign-ins.

Configure remember multi-factor authentication setting in Microsoft 365 to reduce repeated prompts on trusted devices for secured and seamless access.

Set up break glass accounts in Entra admin center with phishing-resistant MFA methods to ensure reliable admin access during lockouts.

Common Errors and Resolution Steps

Here are the possible errors and troubleshooting fixes while handling MFA-configured Conditional Access policies.

Error Get-MgIdentityConditionalAccessPolicy : Your account does not have access to this report or data. Status: 403 (Forbidden)

This error occurs when the Get-MgIdentityConditionalAccessPolicy cmdlet is executed with a user account that lacks the necessary privilege role.

Fix Connect to Microsoft Graph PowerShell with one of these privileged roles such as Security Reader, Company Administrator, Security Administrator, Conditional Access Administrator, Global Reader, Devices Administrator, or Entra Network Access Administrator.

Error Get-MgIdentityConditionalAccessPolicy : Authentication needed. Please call Connect-MgGraph.

This error occurs when the connection between Microsoft Graph and the PowerShell Session is not established while executing the cmdlet.

Fix Connect to the Microsoft Graph PowerShell module with the required permissions as shown below.

Connect-MgGraph -Scopes "Policy.Read.All", "Directory.Read.All"

Error Get-MgIdentityConditionalAccessPolicy : The term 'Get-MgIdentityConditionalAccessPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs because the required modules are not properly updated/installed in PowerShell.

Fix Perform the update or reinstall of Microsoft Graph Identity SignIns submodule to ensure proper cmdlet functionality with PowerShell.

#To update the Microsoft Graph module.
Update-Module Microsoft.Graph.Identity.SignIns -Force


#To reinstall the Microsoft Graph PowerShell module.
Uninstall-Module Microsoft.Graph.Identity.SignIns -Force
Install-Module Microsoft.Graph.Identity.SignIns

Error Don't lock yourself out! This policy will affect all of your users. We recommend applying a policy to a small set of users first to verify it behaves as expected.

This error occurs when you try to create a Conditional Access policy with the All Users condition.

Fix Exclude break glass accounts before creating the Conditional Access policy to resolve this issue.

Error Get-MgIdentityConditionalAccessPolicy_List : Could not load type 'Microsoft.Graph.Authentication.AzureIdentityAccessTokenProvider' from assembly 'Microsoft.Graph.Core’.

This error pops up when the Get-MgIdentityConditionalAccessPolicy is executed in PowerShell 7 or later versions.

Fix Run the cmdlet using Windows PowerShell (5.1), which offers better compatibility with Microsoft Graph’s authentication module than PowerShell 7+.

Microsoft 365

Frequently Asked Questions

Manage MFA Enforcements in Microsoft 365 with Conditional Access

How to get per-user MFA status for all users in Microsoft 365?

How to convert per-user MFA to Conditional Access MFA in Microsoft 365?

How to find user sign-ins blocked by MFA based Conditional Access policies?

How to enforce multifactor authentication for guest users in Microsoft 365?

How to change the default authentication method for Microsoft 365 users?

How to enable additional contexts for MFA prompts in Microsoft Entra admin center?

1. How to get per-user MFA status for all users in Microsoft 365?

Per-user MFA is a legacy configuration that lacks the flexibility required in today’s dynamic environments. As organizations scale, an evaluation of existing per-user MFA settings helps identify authentication gaps and supports a secure transition to Conditional Access based MFA.

Get per-user MFA status in Microsoft Entra admin center

Navigate to Users in Entra admin center and click Per-user MFA on menu tab.
On per-user MFA page, select Enforced/Enabled value under Status filter and click apply to list the users with MFA in your Microsoft 365.

To view per user MFA status in the Entra admin center, requires repetitive navigation and lacks efficient filtering or bulk export, which makes it impractical for larger environments.

So, we have prepared a PowerShell script that lists and exports the per-user MFA status of users in your Microsoft 365 environment.

Download and run the following script in the Administrator PowerShell to export users with their per-user MFA status.
This exported CSV file contains details such as per-user MFA status, license status, sign-in status, registered authentication, and additional details.

CheckMFAStatus.ps1

2. How to convert per-user MFA to Conditional Access MFA in Microsoft 365?

Conditional Access MFA is the modern standard in Microsoft 365, dynamically challenging the users and offering precision. Adaptive Conditional Access policies apply MFA intelligently to provide consistent security through policy-driven enforcement across all users and scenarios.

Switching from per-user MFA to Conditional Access MFA makes users quick to adopt the stronger approach using two steps such as creating CA policy and turn-off per-user MFA.

1. Create Conditional Access policies with MFA controls in Microsoft 365

Sign in to the Microsoft Entra admin center and navigate to the Conditional Access option under the Entra ID drop-down.
Click on + Create new policy and provide a suitable name for your policy.
In the Assignments section, select Users. Under Include category, choose All Users.
Then under Exclude section, select Users and groups to exclude break glass accounts.
Select the Target resources and choose Resources (formerly cloud apps) in the drop-down. Now, configure Include and Exclude options as required for the organization.
Under Access Controls, select Grant. In the flyout pane, select Grant access and choose Require multi-factor authentication.
Now, set the policy to ‘Report-only’ mode and test its impact before proceeding to enable the policy.

This approach not only strengthens compliance but also validates the user experience through targeted enforcement.

Note:To create or modify the Conditional Access policies, you are required to have at least the Conditional Access Administrator privilege.

2. Switch from Per-User MFA to Conditional Access MFA

Once Conditional Access MFA is tested and evaluated, turn off per-user MFA to eliminate legacy conflicts and enable Conditional Access authentication through policy-based controls.

3. How to find user sign-ins blocked by MFA based Conditional Access policies?

Microsoft 365 Conditional Access with MFA blocks users during sign-in when MFA requirements aren’t met. Without visibility into these failures, it becomes difficult to distinguish between misconfigurations and genuine security enforcement. Identify the Conditional Access policy sign-in impacts and fine-tune policy behaviours to reduce user access issues.

Follow the steps below to identify the MFA blocked sign-ins through CA in Microsoft 365.

Navigate to Sign-in logs under Monitoring in Conditional Access page.
Apply the Conditional Access filter and select Failure condition.
Next apply the Authentication requirement filter with Multifactor authentication condition. Use the Date filter to list the sign-in logs for your custom intervals.
Now open the logs to view the detailed insights of the failed sign-ins, blocked by the Conditional Access policy with MFA.

These sign-in logs display events of user access being blocked by Conditional Access due to MFA failure, with details such as date, id, user, app, status, error code, etc.

Failed sign-ins occur due to legacy attempts, incomplete or unsatisfied MFA prompts, missing registered authentication methods, etc. Always ensure valid MFA methods are in place, requests are completed, and policies allow legitimate access by testing in Report-only mode.

4. How to enforce multifactor authentication for guest users in Microsoft 365?

External B2B users without strong access controls can introduce security gaps in Microsoft 365. If MFA isn’t enabled, attackers can impersonate as guest users and access the workspaces. Enabling MFA Conditional Access helps to ensure only verified external users gain access based on authentication requirements.

Enforce MFA for Microsoft 365 guest users with Conditional Access

Log in to the Microsoft Entra admin center and navigate to the Conditional Access section under the Entra ID drop-down.
Go to the Policies tab, click on + New policy and provide a Name for your guest user MFA policy.
In the Assignments section, select Users. Under the Include category, choose Select users and groups and choose Guest or external users.
Then under Exclude section, select Users and groups to exclude break glass accounts.
Select the Resources that you want to allow your B2B users to access and collaborate.
Under Access Controls, select Grant. Then in the flyout pane, select Grant access and choose Require multi-factor authentication.
Now, set the policy to ‘Report-only’ mode and test its impact before proceeding to enable the policy.

This enhances collaboration while aligning with Zero Trust model and reducing potential threats.

5. How to change the default authentication method for Microsoft 365 users?

Some users continue to use legacy MFA methods, such as SMS and voice calls. While these are supported, they are considered as less secure and vulnerable to attacks. This weakens the security posture and bypasses strong Conditional Access enforcement. By configuring the default MFA method, admins can ensure consistent and secure authentication across all users.

Set default MFA method for specific user in Entra admin center

Go to the Users page in Microsoft Entra admin center.
Select the user and switch to Authentication methods tab.
Now, click on Edit (pencil icon) option in Default sign-in method (Preview) and select the preferred sign-in method for your users.

In Microsoft 365, changing the default MFA method is limited to one user at a time, making it highly inefficient for large environments. Using PowerShell cmdlets, admins can update default MFA for all users in a single execution with preferred authentication method.

Configure default MFA method for all Microsoft 365 users using PowerShell

Connect to the Microsoft Graph PowerShell module with required permissions.
```
Connect-MgGraph -Scope "UserAuthenticationMethod.ReadWrite.All"
```

Run the below PowerShell cmdlet after specifying the preferred MFA method in <AuthenticationMethod>, such as ‘push’, ‘oauth’, ‘voiceMobile’ and others in the cmdlet.

The authentication methods that are more secure and compatible with modern policies are MS Authenticator, OAUTH tokens, Passkeys (Trusted Devices), FIDO2 keys, etc.

$preferredMethod = “<AuthentiationMethod>”
$allUsers = Get-MgUser -All
$bodyJson = @{ userPreferredMethodForSecondaryAuthentication = $preferredMethod } | ConvertTo-Json
$allUsers | ForEach-Object {
    $user = $_
    $uri = "https://graph.microsoft.com/beta/users/$($user.Id)/authentication/signInPreferences"
    try {
        Invoke-MgGraphRequest -Uri $uri -Body $bodyJson -Method Patch -ErrorAction Stop
        Write-Host "Updated: $($user.UserPrincipalName)"
    } catch { }
}

This cmdlet sets the default MFA method (like push or OAUTH, TOTP) for users who have registered for secondary authentication in your Microsoft 365 organization.
It helps to enforce a consistent sign-in experience aligned with Conditional Access policies to reduce approval friction and improve policy-based access.

Note:If the default auth method fails to update, it means that the user has not enrolled for multifactor authentication yet.

6. How to enable additional contexts for MFA prompts in Microsoft Entra admin center?

When Conditional Access policies are enforced with MFA grant controls, generic notifications can expose users to fatigue and phishing attacks. Enhancing MFA prompts with additional context, such as application name and geographic location, helps users to make more informed decisions before approving sign-in requests.

Enable additional contexts for MFA prompted sign-ins in Microsoft 365

Navigate to the Authentication methods page under Entra ID in the Microsoft Entra admin center.
Under Authentication method policies, select the Microsoft Authenticator and switch to the Configure tab.
Microsoft enables the Require number matching option for push notifications by default.
Now, set the Enabled status for the required additional contexts and select the target users to apply. Click Save to store your MFA policy configuration changes.

These additions enhance MFA Conditional Access by reducing accidental approvals and improving end-user security awareness.