Multi-Factor Authentication (MFA) is one of the most effective protections for Microsoft 365 accounts. However, in many small and medium-sized businesses, MFA is not consistently implemented — some users have it configured, while others do not.

This creates a serious and often overlooked risk: attackers only need one unprotected account to gain access to your environment.

In this guide, we’ll show you how to identify accounts without MFA in Microsoft 365 using a reliable export method based on Microsoft identity data.

Why Visibility Matters

Many organizations assume MFA is “enabled everywhere”, but in practice this is rarely the case. Changes over time, legacy accounts, exclusions, or incomplete setup often leave gaps that go unnoticed.

Without a clear, centralized view, it is difficult to verify:

• which users are actually protected

• which accounts are missing authentication methods

• where security gaps still exist

A report-based approach solves this by giving you a single, accurate view of your tenant.

How to Identify Accounts Without MFA in Microsoft 365

Microsoft provides a supported way to export authentication data using PowerShell.

You can use the following script:

https://azuread.github.io/MSIdentityTools/commands/Export-MsIdAzureMfaReport/

This command generates a report that includes:

• all users in your tenant

• their registered authentication methods

• whether MFA is configured or used during sign-in

This approach allows you to move beyond assumptions and work with actual data.

What to Look for in the Report

Once the report is generated, review it to identify accounts that require attention. Focus on users who do not have MFA methods configured, accounts that appear to authenticate without MFA, and users that look inactive or incorrectly configured.

These findings typically highlight accounts that are not protected and should be prioritized for remediation.

Common Findings

When organizations review this data, they often discover users who never completed MFA registration, accounts created before MFA was enforced, service accounts without protection, and administrative accounts that were excluded or misconfigured.

These gaps are common, even in environments where MFA is believed to be fully deployed.

Why This Matters for Your Security

Microsoft identity protection relies heavily on MFA as a core security layer. If some accounts do not require MFA, access can be obtained with stolen passwords, Conditional Access protections may not be fully effective, and attackers can move within the environment once access is obtained.

For this reason, being able to identify and validate MFA coverage is a critical step in securing Microsoft 365.

Final Thoughts

Being able to identify accounts without MFA in Microsoft 365 is not guesswork — it requires visibility. A report-based approach provides a complete view of your environment, gives you clear evidence of existing security gaps, and offers a practical starting point for remediation so you can address risks in a structured and effective way.

If you’re unsure whether MFA is fully enforced across your environment, we can review your Microsoft 365 tenant and identify any accounts that remain unprotected. As part of this review, we also check for common issues such as incomplete MFA enrollment, overly broad access permissions, and gaps in Conditional Access policies.

This type of quick assessment often helps uncover risks that are not visible from the portal alone and provides clear recommendations on what to fix and how to prioritize remediation.