Our application displays the MFA status of Office 365 users by integrating with Microsoft’s cloud APIs.
Due to Microsoft’s technical limitations, our system can only reliably detect whether a user has actually registered MFA, not whether MFA is merely "enabled" for them in the Office admin portal.
This means it is possible - and expected - to see cases where Office 365 shows MFA as "enabled" while our portal shows it as "disabled."
This is not a bug, but a result of how Microsoft exposes MFA status to third-party applications like ours.
Why Does This Happen?
Microsoft’s API exposes two flags: IsMFARegistered, which indicates that multi‑factor authentication (MFA) has been enabled for the account, and IsMFACapable, which shows whether the user has actually completed MFA registration. Consequently, you can encounter a situation in which IsMFARegistered = true (MFA enabled by an administrator) but IsMFACapable = false (the user has not yet confirmed MFA).
In contrast, the Office 365 admin portal can show more granular statuses, such as "Enabled" (MFA assigned but not set up) and "Enforced" (MFA setup required and completed).
Our app will show "enabled" only if the user has actually finished registering MFA. If a user is only assigned MFA but hasn’t set it up, Office 365 may show "enabled," but our portal will show "disabled".
Example Table: MFA Status Differences
User Scenario | Office 365 Admin Portal Status | Our Portal MFA Status | Explanation |
MFA assigned, user has not registered MFA | Enabled | Disabled | Office 365 shows enabled because MFA is assigned, but user has not completed registration. |
MFA enforced, user has not completed registration | Enforced | Disabled | Office 365 shows enforced, but unless user finishes setup, our portal shows disabled. |
User completed MFA registration | Enforced or Enabled | Enabled | Both systems show enabled/enforced once registration is complete. |
Contact user (not a real account, just a contact entry) | N/A | N/A | Contacts do not have MFA status, so both show N/A or not applicable. |
Deleted user | Varies (may show Disabled) | Disabled | Deleted users are treated as not having MFA; both typically show disabled. |
Guest user, MFA not registered | Enabled or N/A | Disabled | Office may show enabled if assigned, but our portal only shows enabled if registered. |
So, the "enabled" status in Office does not always mean the user has completed MFA registration; our portal will only show "enabled" if the user is fully registered.