Identity Providers
      Back to home
      1. Help Center
      2. Troubleshooting
      3. Identity Providers

      Microsoft EntraID - MFA Appears as Not Enforced in Azure AD

      This guide explains why your monitor may show users as non-compliant with MFA, even if it looks enabled in Azure

      🔍 Why This Happens

      The monitor Identity Provider | Users Configuration of MFA verifies if MFA is actively enforced and used by users—not just whether it appears enabled in admin settings.

      In Azure AD, users go through three states:

      • Disabled – MFA is off

      • Enabled – MFA is available, but not yet set up

      • Enforced – MFA is registered and required during login

      Even if an admin marks MFA as enabled, it doesn’t mean users have completed the setup or are being prompted for MFA at login.
      Microsoft also deprecated the Azure AD Graph view, making it less reliable for compliance checks.

      Scytale uses Microsoft Graph to verify actual usage, confirming that the user must provide MFA (e.g., SMS, phone, email) to access the account.

       

      What You Need to Do

      1. Open Azure AD and go to your per user MFA status view

      2. Check that users are in the Enforced state—not just Enabled

      3. Have users complete the MFA registration process

      4. Ensure that login actually requires MFA (e.g., modern auth prompts, conditional access policies)