Best Practices for Auditing and Enforcing MFA in Entra ID and Microsoft 365

You can actually audit MFA usage directly through Entra ID. Go to Authentication Methods, where there's a reporting tool that shows registered MFA methods for users. You can export these results to see how each user is configured. After pinpointing users who need actions, create a Conditional Access policy that requires your chosen MFA settings. Start it in report-only mode to analyze behavior for about a week before fully implementing it.

Using Conditional Access policies is definitely the best route. You can introduce it gradually by applying different conditions. For example, requiring phishing-resistant MFA for admins or only for those accessing your systems remotely. It’s also crucial to communicate these changes clearly to users so they understand and support the transition, especially when it impacts a lot of people.

I wouldn’t recommend excluding break-glass accounts unless absolutely necessary, and you shouldn't need to exclude legacy apps either. You might want to create a service principle with a narrower scope if you have that situation. Honestly, starting with a blanket policy that requires MFA for all users is the best way to establish a solid security baseline. Once you have that, you won't need to worry too much about reports because every account will meet the requirements.

Microsoft provides a range of conditional access policy templates tailored to different needs. Make sure to utilize these to streamline your process. Also, per-user MFA is being phased out, so focus on Conditional Access policies. Mixing the two can lead to unexpected issues.

It’s smart to set up your Conditional Access and exempt those critical accounts. Running it in audit mode first can give you insight into which accounts are impacted without enforcing changes right away. This step can help you adjust your strategy based on real data.