This guide explains why your Security Group MFA monitor might not be passing
π Why This Happens
The monitor MFA for security groups checks two things:
-
MFA is enabled in your identity provider, and
-
MFA is actively enforced for a specific user group
If MFA is enabled at the tenant level but not enforced on the group, the monitor will return as non-compliant.
β What You Need to Do
-
Sign in to your identity provider
-
Go to your MFA or Conditional Access settings
-
Check the specific security group associated with this monitor
-
Confirm that MFA is explicitly required/enforced for this group
-
Enabling MFA globally is not sufficientβit must be applied at the group level
-
π Note: once MFA enforcement is applied to the group, allow a few minutes for the monitor to refresh.