SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: MFA and Strong Authentication Coverage Audit
description: Audit Microsoft Entra to find users without MFA, weak SMS or voice methods, and FIDO2 or passkey adoption to lift authentication assurance.
---
# MFA and Strong Authentication Coverage Audit
> **TL;DR:** This skill inspects every Microsoft Entra user to map who has no multifactor authentication, who relies on weak SMS or voice methods, and who has adopted phishing-resistant FIDO2 or passkeys, then produces a ranked coverage report so you can close the riskiest gaps first.
## What does an MFA coverage audit reveal in Microsoft Entra?
Microsoft Entra ID is the identity control plane for Microsoft 365, and the strength of each user's registered authentication methods directly governs how resistant your tenant is to credential theft and phishing. This audit reads the authentication methods registered against each account, distinguishing phishing-resistant options such as FIDO2 security keys and passkeys from weaker fallbacks such as SMS and voice call. It correlates that picture with sign-in capability so you can see exactly where Conditional Access enforcement and method policy still leave exposure.
## When should you run this skill?
- "Show me every user who still has no MFA method registered."
- "Which accounts are relying on SMS or voice call as their only second factor?"
- "How far along is our FIDO2 and passkey rollout across the organisation?"
- "I need an authentication assurance report before our cyber insurance renewal."
- "Find privileged accounts that are not using phishing-resistant authentication."
- "We are preparing for an Essential Eight assessment and need MFA coverage evidence."
- "Has passkey adoption improved since last quarter's baseline?"
## How this skill works, step by step
1. Connect to Microsoft Graph with read-only delegated scopes for authentication methods and directory data.
2. Enumerate all enabled user accounts in the tenant, capturing display name, user principal name, and account type.
3. Retrieve the registered authentication methods for each user, including FIDO2, Microsoft Authenticator, passkeys, SMS, voice, and email.
4. Classify each user's strongest registered method into a tier: phishing-resistant, app-based, weak (SMS or voice), or none.
5. Cross-reference privileged role assignments so that administrators without strong authentication are flagged for priority.
6. Derive a per-user risk score from the strongest method tier, privilege level, and absence of any second factor.
7. Aggregate tenant-wide coverage metrics, including the proportion of users with phishing-resistant methods.
8. Rank users so that unprotected and privileged accounts surface at the top of the report.
9. Produce the structured output without modifying any user, method, or policy.
## Output format
The skill returns a coverage table followed by a summary of tenant-wide metrics.
| User principal name | Strongest method | Method tier | Privileged | Risk score |
| --- | --- | --- | --- | --- |
| `jordan.lee@contoso.com` | None registered | None | Yes | Critical |
| `priya.nair@contoso.com` | SMS | Weak | No | High |
| `sam.wright@contoso.com` | FIDO2 security key | Phishing-resistant | No | Low |
- Total enabled users analysed and the count with no MFA method.
- Number of users whose only second factor is SMS or voice.
- Count and percentage of users registered for FIDO2 or passkeys.
- Privileged accounts lacking phishing-resistant authentication, listed for immediate remediation.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant, users, or authentication policies. It only reads authentication method registration and directory data to build the report.
This skill does NOT:
- Register, modify, or remove any authentication method for any user.
- Change Conditional Access policies, authentication method policies, or licence assignments.
- Reset passwords, revoke sessions, or alter sign-in state.
- Send notifications or prompts to end users.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Reading registered authentication methods and directory data | Microsoft Entra ID Free |
| Conditional Access and authentication method policy enforcement context | Microsoft Entra ID P1 |
| FIDO2 security key and passkey adoption tracking | Microsoft Entra ID P1 |
### Least-privilege roles
- Global Reader — read-only visibility across directory and identity configuration
- Authentication Policy Administrator (read-only use) or Security Reader — review authentication method coverage without making changes
### Microsoft Graph permissions (read-only)
- `UserAuthenticationMethod.Read.All` — reads each user's registered authentication methods, including FIDO2, passkeys, Microsoft Authenticator, SMS, and voice
- `Directory.Read.All` — reads enabled user accounts, display names, and user principal names
- `RoleManagement.Read.Directory` — reads privileged role assignments so administrators without strong authentication can be prioritised
## Sources and compliance
- [Authentication methods in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods)
- [Authentication methods activity](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-methods-activity)
- Maps to Essential Eight control Multi-factor Authentication, supporting maturity uplift toward phishing-resistant methods.
- Aligns with ISM controls for multifactor authentication of users accessing online services and privileged accounts.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
MFA and Strong Authentication Coverage Audit
TL;DR: This skill inspects every Microsoft Entra user to map who has no multifactor authentication, who relies on weak SMS or voice methods, and who has adopted phishing-resistant FIDO2 or passkeys, then produces a ranked coverage report so you can close the riskiest gaps first.
What does an MFA coverage audit reveal in Microsoft Entra?
Microsoft Entra ID is the identity control plane for Microsoft 365, and the strength of each user’s registered authentication methods directly governs how resistant your tenant is to credential theft and phishing. This audit reads the authentication methods registered against each account, distinguishing phishing-resistant options such as FIDO2 security keys and passkeys from weaker fallbacks such as SMS and voice call. It correlates that picture with sign-in capability so you can see exactly where Conditional Access enforcement and method policy still leave exposure.
When should you run this skill?
- “Show me every user who still has no MFA method registered.”
- “Which accounts are relying on SMS or voice call as their only second factor?”
- “How far along is our FIDO2 and passkey rollout across the organisation?”
- “I need an authentication assurance report before our cyber insurance renewal.”
- “Find privileged accounts that are not using phishing-resistant authentication.”
- “We are preparing for an Essential Eight assessment and need MFA coverage evidence.”
- “Has passkey adoption improved since last quarter’s baseline?”
How this skill works, step by step
- Connect to Microsoft Graph with read-only delegated scopes for authentication methods and directory data.
- Enumerate all enabled user accounts in the tenant, capturing display name, user principal name, and account type.
- Retrieve the registered authentication methods for each user, including FIDO2, Microsoft Authenticator, passkeys, SMS, voice, and email.
- Classify each user’s strongest registered method into a tier: phishing-resistant, app-based, weak (SMS or voice), or none.
- Cross-reference privileged role assignments so that administrators without strong authentication are flagged for priority.
- Derive a per-user risk score from the strongest method tier, privilege level, and absence of any second factor.
- Aggregate tenant-wide coverage metrics, including the proportion of users with phishing-resistant methods.
- Rank users so that unprotected and privileged accounts surface at the top of the report.
- Produce the structured output without modifying any user, method, or policy.
Output format
The skill returns a coverage table followed by a summary of tenant-wide metrics.
| User principal name | Strongest method | Method tier | Privileged | Risk score |
|---|---|---|---|---|
jordan.lee@contoso.com | None registered | None | Yes | Critical |
priya.nair@contoso.com | SMS | Weak | No | High |
sam.wright@contoso.com | FIDO2 security key | Phishing-resistant | No | Low |
- Total enabled users analysed and the count with no MFA method.
- Number of users whose only second factor is SMS or voice.
- Count and percentage of users registered for FIDO2 or passkeys.
- Privileged accounts lacking phishing-resistant authentication, listed for immediate remediation.
Scope and safety
This skill is read-only by default and makes no changes to your tenant, users, or authentication policies. It only reads authentication method registration and directory data to build the report.
This skill does NOT:
- Register, modify, or remove any authentication method for any user.
- Change Conditional Access policies, authentication method policies, or licence assignments.
- Reset passwords, revoke sessions, or alter sign-in state.
- Send notifications or prompts to end users.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Reading registered authentication methods and directory data | Microsoft Entra ID Free |
| Conditional Access and authentication method policy enforcement context | Microsoft Entra ID P1 |
| FIDO2 security key and passkey adoption tracking | Microsoft Entra ID P1 |
Least-privilege roles
- Global Reader — read-only visibility across directory and identity configuration
- Authentication Policy Administrator (read-only use) or Security Reader — review authentication method coverage without making changes
Microsoft Graph permissions (read-only)
UserAuthenticationMethod.Read.All— reads each user’s registered authentication methods, including FIDO2, passkeys, Microsoft Authenticator, SMS, and voiceDirectory.Read.All— reads enabled user accounts, display names, and user principal namesRoleManagement.Read.Directory— reads privileged role assignments so administrators without strong authentication can be prioritised
Sources and compliance
- Authentication methods in Microsoft Entra ID
- Authentication methods activity
- Maps to Essential Eight control Multi-factor Authentication, supporting maturity uplift toward phishing-resistant methods.
- Aligns with ISM controls for multifactor authentication of users accessing online services and privileged accounts.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on