Skip to main content

Microsoft EntraID - MFA Enabled but Still Showing as Non-Compliant

This guide explains why your Security Group MFA monitor might not be passing

Updated over 7 months ago

Why This Happens

The monitor MFA for security groups checks two things:

  • MFA is enabled in your identity provider, and

  • MFA is actively enforced for a specific user group

If MFA is enabled at the tenant level but not enforced on the group, the monitor will return as non-compliant.

What You Need to Do

1. Sign in to your identity provider

2. Go to your MFA or Conditional Access settings

3. Check the specific security group associated with this monitor

4. Confirm that MFA is explicitly required/enforced for this group

  • Enabling MFA globally is not sufficient—it must be applied at the group level

Note: once MFA enforcement is applied to the group, allow a few minutes for the monitor to refresh.

Related Articles
AWS Cloudtrail - Storage Audit Logs Showing as Non-Compliant
Azure Virtual Machines - Encryption Enabled but Still Showing as Non-Compliant
Microsoft EntraID - MFA Appears as Not Enforced in Azure AD
Did this answer your question?