/
Understanding the MFA not enabled for some users risk

Understanding the MFA not enabled for some users risk

BarracudaONE displays this risk when it detects, through Microsoft Entra ID, that there are users in your environment that don’t have a Multi-Factor Authentication (MFA) option enabled to protect their accounts.

Why this is a risk

Not having MFA enabled on an account means that the account is only protected with a password that could be stolen, guessed, brute-forced, or phished. Accounts not protected with MFA are more likely to be compromised, making them a security risk.

Identifying this risk

To help you identify the users affected, BarracudaONE displays:

  • List of users without MFA

  • Count of users without MFA

  • Last sign-in timestamp

  • MFA enrollment status (None, Partial, Complete)

Resolving this risk

Resolving this risk involves enabling a Conditional Access policy in Microsoft Entra ID requiring MFA for all users.

To resolve the MFA not enabled for some users risk

  1. In the left navigation menu, select Home Home.png.

  2. In the Start mitigating risks section, do one of the following:

    • Select the MFA not enabled for some users risk.

    • Select another risk, then use the arrows to navigate to the MFA not enabled for some users risk.

  3. Review this risk, then enable a Conditional Access policy in Microsoft Entra ID requiring MFA for all users.

When this criteria is met, the risk auto-resolves.

If you disable or delete the conditional access policy, the risk returns.

Once you have resolved this risk

A conditional access policy in place to enforce MFA for all users gives your environment:

  • Stronger account security—Even if a password is stolen/phished, MFA adds a second barrier that prevents most unauthorized logins.

  • Reduced account takeover risk—MFA dramatically lowers the likelihood of attackers successfully gaining access to user accounts.

  • Better protection against phishing and credential attacks—Modern MFA helps mitigate common attacks.

  • Consistent enforcement across the organization—Applying MFA to all users avoids gaps where attackers target accounts that might otherwise be exempt (e.g., some service accounts, internal users, or legacy exceptions).

  • Simpler governance and auditability—A single, organization-wide rule is easier to explain, document, and validate for security/compliance audits.

  • Better protection against device/network bypass scenarios—Conditional access can also help ensure MFA is required regardless of location or device posture (depending on how the policy is built), closing off common bypass routes.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.