Learn to Enable per-user Azure Multi-Factor Authentication

  1. Home
  2. Learn to Enable per-user Azure Multi-Factor Authentication

This tutorial will help to Learn to Enable per-user Azure Multi-Factor Authentication. There are two ways to secure user sign-in events by requiring multi-factor authentication in Azure AD. The first, and preferred, option is to set up a Conditional Access policy that requires multi-factor authentication under certain conditions. The second option is to enable each user for Azure Multi-Factor Authentication.

Azure Multi-Factor Authentication user states

StatusDescriptionNon-browser apps affectedBrowser apps affectedModern authentication affected
DisabledThe default state for a new user not enrolled in Azure Multi-Factor Authentication.NoAlso, NoNo
EnabledAlso, The user has been enrolled in Azure Multi-Factor Authentication, but hasn’t registered authentication methods. They receive a prompt to register the next time they sign in.No. They continue to work until the registration process is completed.Yes. After the session expires, Azure Multi-Factor Authentication registration is required.Yes. After the access token expires, Azure Multi-Factor Authentication registration is required.
EnforcedThe user has been enrolled and has completed the registration process for Azure Multi-Factor Authentication.Yes. Apps require app passwords.Also, Yes. Azure Multi-Factor Authentication is required at login.Also, Yes. Azure Multi-Factor Authentication is required at login.

View the status for a user

Use the following steps to access the Azure portal page where you can view and manage user states:

  • Sign in to the Azure portal as an administrator.
  • Then, Search for and select Azure Active Directory, then select Users > All users.
  • Also, Select Multi-Factor Authentication. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full Azure portal window and menu location:
Image Source – Microsoft

A new page opens that displays the user state, as shown in the following example. 

Image Source – Microsoft

Change the status for a user

To change the Azure Multi-Factor Authentication state for a user, complete the following steps:

  • Use the preceding steps to get to the Azure Multi-Factor Authentication users page.
  • Find the user you want to enable for Azure Multi-Factor Authentication. You might need to change the view at the top to users.
Image Source – Microsoft
  • Check the box next to the name(s) of the user(s) to change the state for.
  • On the right-hand side, under quick steps, choose Enable or Disable. In the following example, the user John Smith has a check next to their name and is being enabled for use:
Image Source – Microsoft

Confirm your selection in the pop-up window that opens.

Change state using PowerShell

To change the user state by using Azure AD PowerShell, you change the $st.State parameter for a user account. There are three possible states for a user account:

  • Enabled
  • Enforced
  • Disabled

Don’t move users directly to the Enforced state. If you do so, non-browser-based apps stop working because the user hasn’t gone through Azure Multi-Factor Authentication registration and obtained an app password.

free practice test for AZ- 303

Go back to home page

Reference documentation – Enable per-user Azure Multi-Factor Authentication to secure sign-in events

Menu