Skip to main content

Understanding Office 365 MFA Status in Our App

Here’s an article explaining how Office 365 MFA status works in Strategy Overview, why users may see differences between Office and SO

Updated over 3 weeks ago

Our application displays the MFA status of Office 365 users by integrating with Microsoft’s cloud APIs.

Due to Microsoft’s technical limitations, our system can only reliably detect whether a user has actually registered MFA, not whether MFA is merely "enabled" for them in the Office admin portal.

This means it is possible - and expected - to see cases where Office 365 shows MFA as "enabled" while our portal shows it as "disabled."

This is not a bug, but a result of how Microsoft exposes MFA status to third-party applications like ours⁠⁠.

Why Does This Happen?

Microsoft’s API exposes two flags: IsMFARegistered, which indicates that multi‑factor authentication (MFA) has been enabled for the account, and IsMFACapable, which shows whether the user has actually completed MFA registration. Consequently, you can encounter a situation in which IsMFARegistered = true (MFA enabled by an administrator) but IsMFACapable = false (the user has not yet confirmed MFA).

In contrast, the Office 365 admin portal can show more granular statuses, such as "Enabled" (MFA assigned but not set up) and "Enforced" (MFA setup required and completed).

Our app will show "enabled" only if the user has actually finished registering MFA. If a user is only assigned MFA but hasn’t set it up, Office 365 may show "enabled," but our portal will show "disabled"⁠⁠⁠⁠.

Example Table: MFA Status Differences

User Scenario

Office 365 Admin Portal Status

Our Portal MFA Status

Explanation

MFA assigned, user has not registered MFA

Enabled

Disabled

Office 365 shows enabled because MFA is assigned, but user has not completed registration.
Example: the phone number was added by an admin script but the user never confirmed it.

MFA enforced, user has not completed registration

Enforced

Disabled

Office 365 shows enforced, but unless user finishes setup, our portal shows disabled.

User completed MFA registration

Enforced or Enabled

Enabled

Both systems show enabled/enforced once registration is complete.

Contact user (not a real account, just a contact entry)

N/A

N/A

Contacts do not have MFA status, so both show N/A or not applicable.

Deleted user

Varies (may show Disabled)

Disabled

Deleted users are treated as not having MFA; both typically show disabled.

Guest user, MFA not registered

Enabled or N/A

Disabled

Office may show enabled if assigned, but our portal only shows enabled if registered.

So, the "enabled" status in Office does not always mean the user has completed MFA registration; our portal will only show "enabled" if the user is fully registered⁠⁠⁠⁠.

Did this answer your question?