The point of this KB is to ensure that MFA is enabled on all accounts where it is needed.
How MFA Is Applied To Accounts
Conditional Access rule sets define how MFA is applied to accounts that are associated with the rule set. The Conditional Access rule sets are assigned to groups named with the _MFA prefix. Through membership in these groups, MFA is applied to the user accounts.
These are groups with the _MFA prefix (an account should be a member of only one of these groups):
_MFA-Advanced-Access: Accounts with administrator access to systems require more frequent MFA prompts
_MFA-Excluded: This is used to temporarily exclude accounts from MFA (for example: while troubleshooting)
_MFA-Default: Most employees will use accounts that belong to this group
_MFA-Onboarding: This is a test group. Do not use this unless asked to
_MFA-Risk-Based: This is for future use. It will be used by accounts where risk based access is applied
How To Verify MFA Is Enabled On A Single Account
To check if MFA is enabled on a single account, check to see if that account has membership in one of the Azure AD groups that begin with _MFA. One way to do this is to open the properties for that account in Azure AD, and check the group membership. If that account does not have membership in a group, enlist a CEA to onboard that employee.
How To Find Accounts Are Not Members Of An MFA Group
At this time, we only have the ability to export group memberships to spreadsheet and compare lists. A process is in development that will report accounts not in a group.