Team: Huntress Managed Identity Threat Detection and Response (ITDR)
Environment: Huntress Platform
Summary: MFA Status for ITDR
The MFA Status feature provides a quick overview of which user identities have Multi-Factor Authentication (MFA) enabled in Entra. For Huntress to access usage and insights, and for the status to be accurately reported, each identity must be assigned a Microsoft Entra ID P1 or P2 (Azure AD Premium) license and the Microsoft Authenticator app must be their main authenticator.
The licenses are included in some Microsoft plans or can be purchased separately.
What does each status mean?
- Enabled: Validates some form of MFA is active on the account.
- Disabled: No form of MFA has been detected on the account. This status also appears if a third-party MFA provider is in use. The Microsoft Authenticator app is required for an Enabled status to be displayed.
- Blank: The identity's MFA Status has not yet been received.
- Unknown: The identity may lack the required P1 or P2 license. Identities using only basic MFA methods, such as Security Defaults or Per-User MFA, cannot be reliably ingested by the ITDR platform and will display as Unknown.