Microsoft MFA Enabled vs Enforced Azure AD Free
If you fall under any of the below scenarios, then this article is not for you.
- Utilizing Azure AD P1 or P2 license and using conditional access to enforce MFA.
- Using Azure AD free but using security defaults.
It’s always confusing as to what the actual difference between MFA enabled vs enforced is. As per the documentation shared by Microsoft on the MFA States, I've mentioned the three applicable states below.
- Disabled
- Enabled
- Enforced
Disabled
In the disabled state, the user is not enrolled in Azure AD MFA for per-user enrollment.
Enabled
In the enabled state, the user is enrolled for the MFA per user enrollment. So, when they sign in the next time, they will receive a message to register for MFA. Users can use the legacy authentication while in the enabled state.
Enforced
In an enforced state, the user is enrolled for MFA per user enrollment. When they sign in the next time, they will receive a message to register for MFA. When a user completes registration, their state changes from enabled to enforced.
Confusion Scenario
You may run into a scenario where the above-mentinoed enabled and enforced states behave the same.
The user is enabled in the MFA portal and can do MFA, but their status will not change to enforced.
This happens when we disable MFA for users after the registration process is complete and then re-enable MFA. The authentication method registered is still present, and the user did not complete the MFA registration process again.
There are two options you can use to change the user status to the enforced state.
- Admin forcefully changes the status to enforced from the portal.
- You can request that the user redo the authentication methods registration from the portal.
Demonstration
Snapshot displays of the debate above are mentioned below.
When a user is enabled for MFA for the first time:
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
When User MFA is disabled:
![]()
![]()
![]()
When MFA is re-enabled and the user is not forced to re-register:
![]()
![]()
![]()
![]()
Changing User status to Enforced
There are two options below that you can use to change the user status to enforced:
- Admin forcefully changes the status to enforced from the portal.
- You can request that the user redo the authentication methods registration from the portal.
Admin forcefully changes the status to enforced from the portal:
![]()
![]()
Requesting that the user redo the authentication methods registration from the portal:
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Summary
In this article, we reviewed the difference between MFA-enabled and enforced states.