Managed Devices SHOULD be required to register MFA.

Why This Matters

Without requiring managed devices to register multifactor authentication, your organization’s endpoints remain highly vulnerable to credential theft and lateral movement. If an attacker compromises a device that never completed MFA registration, they can access sensitive resources without additional verification. For IT administrators, this gap undermines the entire conditional access and device compliance strategy, especially in hybrid or cloud-first environments.

What Aether365 Checks

This check verifies that the Microsoft Entra ID conditional access policy setting “Require multifactor authentication registration” is applied to managed devices. You can view the result in the Aether365 dashboard under the Entra ID (entra-id) security checks section.