ASSOCIATED DRATA CONTROL
This test is part of the MFA on Accounts control that ensures Multi-Factor Authentication (MFA) is being required for access to any sensitive systems or applications. Drata will verify that in order to log in a user needs to provide their ID, a password, and then either a One-Time Password (OTP) or certificate.
WHAT TO DO IF A TEST FAILS
If Drata finds an identity within your Identity Provider (IdP) that does not have MFA enabled for all users of the application the test will fail. With a failed test you will receive a list of users that do not have MFA enabled on their account.
To remediate a failed test you will have the ability to send email reminders within Drata to each user, reminding them that they need to enable MFA on their account. The emails sent from Drata will direct your employees back to their onboarding tasks in Drata.
STEPS FOR PASSING
Identify failing identities and providers.
Navigate to the Monitoring page, search for and open Test 86, and review the Findings tab.
Identify which users are failing and note the specific Identity Provider (IdP) associated with their accounts.
Check if a failing user has more than one active IdP connected to Drata. Users with multiple identities must have MFA enabled on every active account to pass. A single non-compliant identity will cause the entire user record to fail Test 86.
Enforce MFA in your Identity Provider
Log into the relevant IdP and enable MFA for the failing users.
We recommend enforcing MFA via Group Policy or Organizational Unit (OU) settings to ensure all current and future users are automatically compliant.
Sync your data. After updating settings in your IdP, Drata needs to verify the changes. You can either:
Wait: Drata performs a nightly sync automatically.
Manual Sync: To pass the test immediately, navigate to the test and select "Test Now."
Manage Legitimate Exclusions: If an account cannot use MFA (e.g., service accounts or "break-glass" admin accounts), create an exclusion for that account.
Enforce MFA in your Identity Provider steps
For Drata to mark Test 86 as passing, MFA must be required (not just available), and each user must have an MFA factor registered natively in the IdP.
⚠️ Before making changes: The steps below modify your Identity Provider's authentication policies, which control how every user signs in. Before applying any policy:
Test in a non-production environment first if possible.
Create a break-glass admin account that's excluded from MFA enforcement, with credentials stored securely offline. This protects against being locked out of your tenant if MFA fails.
Identify and exclude service accounts, automation identities, and shared mailboxes that can't perform interactive MFA. These should use stronger alternatives (managed identities, certificate-based auth) rather than be subject to user MFA policies.
Communicate to users before enforcement so they have time to enroll an MFA method.
Roll out in stages — start with a small pilot group before applying to "All users" or "Everyone."
If you're not the administrator of your IdP, share this article with your IT team rather than making changes yourself.
Okta
Sign in to the Okta Admin Console.
Go to Security → Authenticators and enable the factors you want (Okta Verify, WebAuthn, Google Authenticator, etc.).
Go to Security → Authentication Policies and edit the Any two factors policy (or create a new one).
Add a rule: IF user is in [group] THEN require Password + Another factor.
Assign the policy to the Everyone group or a group containing the failing users.
Assigning an MFA policy to the Everyone group includes service and system accounts.
Consider creating a dedicated group of human users instead, and exclude API/service identities.
Failing users will be prompted to enroll on next sign-in.
Provider documentation:
Microsoft 365 / Entra ID
Drata evaluates MFA in this order:
Security Defaults. If Security Defaults are enabled on your tenant, Drata marks all users as MFA-compliant — regardless of other settings.
Microsoft 365 / Entra: Enabling Security Defaults disables legacy authentication and may break older Office clients, IMAP/POP/SMTP connections, and service accounts that use app passwords.
Review Microsoft's Security Defaults documentation before enabling.
Conditional Access Policies (CAPs). If Security Defaults are off, Drata checks for CAPs that enforce MFA. The user must be included in the policy scope (and not excluded) for Drata to recognize them as compliant.
Per-User MFA. If neither Security Defaults nor relevant CAPs apply, Drata falls back to the Per-User MFA status in Entra ID. Only in this case do the Enabled or Enforced states in the Per-User MFA portal affect compliance.
For Drata to recognize a user as MFA-compliant, the user must also have an MFA method registered natively in Entra ID. MFA enforced exclusively through a layered system that the Microsoft Graph API cannot see (for example, Duo through ADFS without a native Entra registration) may not be detected.
Easiest (small orgs):
Sign in to the Microsoft Entra admin center.
Browse to Entra ID → Properties.
Select Manage security defaults.
Set Security defaults = Enabled and save.
Recommended (larger orgs):
Sign in to the Microsoft Entra admin center.
Browse to Entra ID → Conditional Access → Policies.
Select New policy.
Configure the policy:
Users: the failing users or a group containing them
Target resources → Resources (formerly cloud apps) → Include: All resources (formerly 'All cloud apps')
Grant: Require multifactor authentication
Set the policy to On and save.
Users will be prompted to register at aka.ms/mfasetup on next sign-in.
Troubleshooting tips:
If Test 86 unexpectedly passes for everyone, check whether Security Defaults is enabled.
If a user fails despite a CAP, confirm they're included in the policy scope and have an MFA method registered in Entra.
After any MFA configuration change, run a manual sync in Drata via Test now.
If MFA is enforced but Test 86 still fails for users, contact Drata Support for review.
⚠️ Mandatory Microsoft MFA: As of early 2026, Microsoft has enforced mandatory MFA for all admin portals. If your admin accounts are failing Test 86, ensure you haven't bypassed these defaults with legacy Conditional Access policies.
Provider documentation: Set up multifactor authentication for users
Google Workspace
Refer to Google's documentation to enable 2 step verification.
Provider documentation:
HELPFUL RESOURCES
Drata can identify users without MFA enabled, but MFA settings must be updated directly in your Identity Provider.
Personnel exclusions (New experience) — Manage employee statuses and exclusions for Test 86.
Identity sync updates in Drata — What to do if a user has enabled MFA but the test still shows as failing.
What is MFA? (OneLogin primer) — Background on the security benefits and common factor types.