User has MFA disabled

Last updated: July 2, 2026


Associated with

Inboxes

Underlying signals

IDAM MFA Disabled (RS24)

Reasonings

  • Regular user, and

    • Shared inboxes and distribution groups should be ignored and should never have this event

  • MFA connection does not have any secondary authentication factors configured, or

    • A user may be enrolled to have MFA enabled, but they may not have actually configured secondary factors

  • Email connection does not have secondary authentication configured

    • An inbox may have policies that force MFA, but the user may not have actually configured secondary factors

Resolutions

  • Configure a secondary authentication factor, or

  • If user is being offboarded, consider turning their inbox into a shared mailbox, or deactivating the user entirely

Additional Considerations

  • User/inbox must be seen from an integration that would relay MFA information

    • A user existing only in an email security platform would not raise this event

  • Because conditional access policies prevent logins unless MFA is complete, Cork considers this a valid conditional access policy as compliant.

  • If in Entra, a user’s MFA state is Enabled or Enforced, it is important to know this does not necessarily mean they have configured a secondary factor.