How to Track MFA Exceptions Across Tenants Without Losing Control

Multifactor Authentication (MFA) is a core pillar of identity security, but exceptions (while sometimes necessary) can become silent risks if left untracked, especially across tenants. Without a clear way to track MFA exceptions, these exclusions can evolve into long-standing security gaps over time.

This guide introduces a governance layer that MSPs can build around existing identity tools to close those visibility gaps and maintain stronger control across tenants.

Core components and methods

Every MFA exception is a potential weak link. The goal is to control those risks before they spiral. Below is a structured framework that shows how to identify, enforce, and manage MFA exceptions without losing control.

A. Define MFA exception categories and usage criteria

Before tracking or enforcing anything, you must establish what qualifies as an exception and under what conditions it’s allowed. Common exception types include:

Break-glass emergency accounts

Intended only for outages or lockouts. These accounts bypass MFA to provide emergency access.

Legacy app connectors or integrations

Older apps that don’t support modern authentication protocols. They may require temporary MFA exclusions.

Administrative exclusions during migration

Temporary exclusions for admins performing bulk operations or tenant transitions.

External trusted guest identities

Guest users from trusted external tenants, where MFA enforcement is handled by their own IdP (Identity Provider).

💡 Tip: To reduce long-lived exceptions, assign who can approve each type and set a time limit or review cycle.

B. Identify exceptions using Microsoft Entra Workbooks

Once exception types are defined, the next step is visibility, or finding where exceptions exist.

Use the MFA Gaps Workbook to:

• Detect accounts accessing resources without MFA.
• Visualize gaps across Conditional Access, Security Defaults, and user-level MFA settings.
• Run this per tenant to surface inconsistent enforcement.

C. Apply scoped Conditional Access policies

Now that you’ve identified exceptions, it’s time to enforce them. Use Microsoft Entra’s Conditional Access exclusions precisely. Here are some practices you can adapt:

• Minimize the use of “exclude specific users” rules.
• Only allow exclusions for break-glass accounts or approved legacy apps.
• Require privileged authentication on a secure workstation for excluded users.

D. Track MFA status programmatically

Manual tracking doesn’t scale and can be error-prone. Use automation to monitor MFA compliance across users and tenants. Some tools you can use include:

Microsoft Graph API

📌 Note: Replace “[email protected]” with the actual email address of the user you want to check.

This command shows which authentication methods a user has set up, making it easier to confirm if MFA is properly configured and active.

PowerShell scripts

Extract real-time MFA registration and enforcement status per user. Doing this supports broader auditing of who is compliant and who isn’t.

E. Automate multi-tenant exception extraction

When managing multiple tenants, manual checks quickly become unmanageable. To make this scalable, automate the collection of Conditional Access policies that exclude users (MFA exceptions) into a single report.

Here’s a PowerShell script you can use. It connects to each tenant, finds policies with exclusions, resolves user IDs into names, and exports everything to a CSV file for review.

📌 Prerequisites:

• Microsoft Graph PowerShell SDK installed.
• Admin-consented delegated scopes: Policy.Read.All and Directory.Read.All.
• Your account must have access to each tenant.
• Real Tenant IDs (GUIDs) for every tenant you’ll scan.

📌 Notes:

• Replace the sample GUIDs in $TenantIds with your actual Tenant IDs. You can find them under Entra ID > Tenant properties, or by running:
  • Get-MgOrganization | Select Id, DisplayName
• If the UPN or DisplayName fields show up blank, the user might have been deleted, or your account doesn’t have read access in that tenant.
• The exported CSV includes TenantId, PolicyName, PolicyId, ExcludedUserId, ExcludedUPN, and ExcludedDisplayName for audit and review.

This script gives you a full cross-tenant view of high-risk MFA exceptions in one place, making it easy to spot patterns and follow up quickly.

F. Establish a review and rotation schedule

Make sure temporary exclusions don’t become long-term vulnerabilities by setting a cadence for review.

What you can do

• Set monthly or quarterly reviews.
• Auto-expire or alert on nearing expiration.
• Require re-approval for renewal.

💡 Tip: Use Microsoft Planner or Power Automate for reminders.

G. Maintain a central governance register

Finally, document everything in one authoritative log to support auditability and accountability.

What to document

• Tenant name
• Excluded users
• Policy title
• Date added
• Expiration/review date
• Reviewer notes

💡 Tip: Store this in a secure PSA-integrated or M365 location for ongoing compliance tracking.

Best practices summary table

Each component in the framework above plays a distinct role in keeping MFA exceptions controlled and accountable. The table below breaks down what each element is for and the value it provides. Use this as your quick-reference map:

Automation touchpoint example

Now, let’s bring the framework to life. This section outlines a repeatable workflow for reviewing MFA exceptions using automation. You may use this as a reference for execution.

MFA exception review workflow

1. Use the Microsoft Entra MFA Gaps workbook monthly. 

Spot unauthenticated or MFA-exempted logins, which can serve as your first signal that something needs review.

2. Run a PowerShell script to extract Conditional Access policy exclusions across clients.

Pull real-time data on who’s excluded from MFA enforcement.

3. Review exception justifications in the governance register.

Cross-check exclusions against documented approvals.

4. Alert or expire unused exceptions automatically via script or policy.

Enforces cleanup and reduces long-lived exceptions.

5. Share findings in client QBRs as part of your identity risk management review.

Adds accountability and transparency to your reporting.

Track MFA exceptions to reduce risk and oversight gaps

While MFA exceptions can be necessary, they should never go unnoticed. Recognizing their purpose and risks makes it clear that tracking them is important. This guide outlined the core components and methods to do so, along with best practices, workflows, and how NinjaOne can support automation and governance.

Before we wrap up, here are the key points to remember:

• Categorize MFA exception types for clarity.
• Detect enforcement gaps using Microsoft Entra tools.
• Target exclusions precisely via Conditional Access.
• Audit MFA registration and policy exclusions with PowerShell.
• Automate reviews across tenants for consistency.
• Maintain a centralized log for governance and compliance.

MSPs can confidently maintain security without blocking legitimate workflows by defining usage policies, automating detection, and enforcing exception reviews.

Related topics:

• What is Multifactor Authentication (MFA)?
• How to Set Up Multi-Factor Authentication (MFA) in Office 365
• What is Two-Factor Authentication (2FA)?