MFA posture
What it shows
For every user in the customer tenant, Policytab fetches their registration details from /reports/authenticationMethods/userRegistrationDetails and computes a staleness bucket with an explicit confidence.
Report updated (Graph) (per-user column) is Graph lastUpdatedDateTime. Microsoft documents this field as when the registration report row was last updated, not when the user last signed in with MFA or changed their authentication methods. Do not treat it as "last MFA use."
Staleness buckets
| Bucket | Meaning |
|---|---|
fresh |
Registered, has at least one strong method, registration report updated within 90 days |
amber |
Registered with weak-only methods (SMS, voice) OR report updated 90-180 days ago |
stale |
Report updated >180 days ago OR MFA-capable but not registered |
unknown |
Not enough signal (includes strong methods when Graph omits lastUpdatedDateTime) |
Strong methods
- Microsoft Authenticator (push or passwordless)
- FIDO2 security key
- Windows Hello for Business
- Software OATH / passkey (device-bound)
Weak methods
- SMS (
mobilePhone) - Voice (
officePhone,alternateMobilePhone)
Bootstrap methods
- Temporary Access Pass (amber - onboarding only)
Confidence
| Confidence | Means |
|---|---|
high |
We have BOTH methodsRegistered and a parsable lastUpdatedDateTime |
medium |
We have one of the two |
low |
Neither (don't act on this user without a manual check) |
What to do with the data
- Stale admins are the priority. The dashboard surfaces the count per tenant. Reach out and get them re-enrolled.
- Amber users on SMS-only are the largest, easiest improvement. Walk them through Authenticator setup.
- Fresh means strong registration plus a recent report timestamp - not proof of recent MFA usage.
How fresh is the data?
Click Refresh MFA on the MFA page. The Edge Function pulls the latest user registration report from Microsoft (10-30s for a 1000-user tenant) and upserts into mfa_state. Last synced in the page header is when Policytab last fetched Graph for this tenant; Report updated (Graph) per user is from Microsoft's registration report metadata.
A future enhancement will run this on a slow schedule (e.g. daily) per imported tenant; today it's on-demand only.