/
Understanding the Phishing-resistant MFA not enforced for all users Risk

Understanding the Phishing-resistant MFA not enforced for all users Risk

BarracudaONE displays this risk when it detects, through Microsoft Entra ID, that some users don't have phishing-resistant MFA methods (such as FIDO2 or Windows Hello for Business) enabled or required, which leaves them vulnerable to modern authentication bypass attacks.

Why this is a risk

Although traditional MFA methods provide additional protection, many can still be tricked through phishing or social engineering. Attackers can use tactics to intercept MFA codes, redirect authentication prompts, or trick users into approving false sign-ins.

Phishing-resistant MFA uses cryptographic validation tied to a specific device, making it harder for attackers to intercept or manipulate. Not having this protection, makes users more vulnerable to identity-based attacks that target weaker MFA methods.

Requiring strong MFA greatly reduces the risk of successful phishing attempts and improves overall identity resilience.

How BarracudaONE identifies this risk

BarracudaONE displays:

  • List of users not covered by a phishing-resistant MFA requirement

  • Count of users without strong MFA

  • Last sign-in timestamp

  • MFA method or factor

  • Each user’s role

Resolving this risk

Resolving this risk involves enabling a Conditional Access policy in Microsoft Entra ID requiring phishing-resistant MFA for all users.

To mitigate the Phishing-resistant MFA not enforced for all users risk

  1. In the left navigation menu, select Home Home.png.

  2. In the Start mitigating risks section, do one of the following:

    • Select the Phishing-resistant MFA not enforced for all users risk.

    • Select another risk, then use the arrows to navigate to the Phishing-resistant MFA not enforced for all users risk.

  3. Review this risk, then enable a Conditional Access policy in Microsoft Entra ID requiring phishing-resistant MFA for all users.

When this criteria is met, the risk auto-resolves.

If you disable or delete the conditional access policy, the risk returns.

Once you have resolved this risk

Enforcing phishing-resistant MFA for all users with a Microsoft Entra ID Conditional Access policy:

  • Reduces the risk of account takeover from phishing—Phishing-resistant factors are built to resist common phishing and MFA-bypass techniques that work against weaker factors.

  • Protects against MFA prompt abuse—Users can’t be tricked into approving a fraudulent sign-in, so attackers have much less chance of succeeding even when they obtain usernames/passwords.

  • More consistent security posture across the whole organization—No “weaker users” attackers can target to gain access or pivot internally.

  • Lower impact of credential compromise—Password leaks, credential stuffing, and social engineering attempts become much less effective because the attacker can’t complete a legitimate phishing flow.

  • Stronger protection for both standard and privileged activity—Phishing-resistant MFA reduces the likelihood that any compromised identity can become a foothold.

  • Better resilience to evolving attack techniques—Phishing is evolving constantly; phishing-resistant methods are specifically designed to remain effective as attackers change tactics.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.