/
Understanding the Privileged accounts without strong MFA Risk

Understanding the Privileged accounts without strong MFA Risk

BarracudaONE displays this risk when it detects, through Microsoft Entra ID, that there are users with privileged access in your environment that don’t have a Multi-Factor Authentication (MFA) option enabled to protect their accounts.

It’s especially important to protect administrative account with MFA because these accounts are high-value targets for bad actors. Attackers often aim at privileged accounts because compromising these accounts gives them heightened access to resources in your environment.

Why this is a risk

Not having MFA enabled on an account means that the account is only protected with a password that could be stolen, guessed, brute-forced, or phished. Accounts not protected with MFA are more likely to be compromised, making them a security risk.

Because privileged accounts have heightened access to your Microsoft 365 environment, an attacker who compromised a privileged account could gain full control over your tenant, including:

  • modifying security settings

  • resetting user passwords, and

  • managing applications.

Adding a phishing-resistant MFA strategy, such as FIDO2 keys or Windows Hello for Business, significantly reduces the risk of unauthorized access by requiring device-tied verification.

Strengthening MFA for privileged accounts is one of the most impactful steps you can take to protect against high-severity identity threats.

Identifying this risk

BarracudaONE displays:

  • Privileged users missing phishing-resistant MFA requirements

  • Count of privileged users without strong MFA

  • Last sign-in timestamp

  • MFA method or factor (Optional)

Resolving this risk

Resolving this risk involves enabling a Conditional Access policy in Microsoft Entra ID requiring MFA for all privileged users.

To mitigate the Privileged accounts without strong MFA risk

  1. In the left navigation menu, select Home Home.png.

  2. In the Start mitigating risks section, do one of the following:

    • Select the Privileged accounts without strong MFA risk.

    • Select another risk, then use the arrows to navigate to the Privileged accounts without strong MFA risk.

  3. Review this risk, then enable a Conditional Access policy in Microsoft Entra ID requiring MFA for all privileged users.

When this criteria is met, the risk auto-resolves.

If you disable or delete the conditional access policy, the risk returns.

Once you have resolved this risk

Enforcing MFA specifically for privileged users using a conditional access policy has these key advantages:

  • Higher-risk protection where it matters most—MFA adds a strong barrier at the highest-impact points.

  • Lower overall breach impact—With MFA on privileged sign-ins, attackers are less likely to escalate privileges successfully.

  • Easier compliance alignment—Many regulations and internal policies require MFA for privileged access.

Consider enforcing MFA for all users instead of only privileged accounts.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.