MFA Coverage

MFA Coverage

Directory sync records each employee's multi-factor enrollment so DataShield can flag accounts with no second factor. The state lives on Employee.mfaEnabled as a tri-state:

Value	Meaning
true	The provider reports the user is enrolled in MFA / 2SV
false	The provider reports the user is not enrolled
null	Unknown: the provider has no capability, lacks permission, or the field was not synced

Unknown is deliberately distinct from "not enrolled": a missing signal must never masquerade as a confirmed gap.

Per-provider detection

Detection is best-effort. If a provider cannot report MFA (missing permission, API error), the value stays null and the sync still succeeds; MFA data never breaks a directory sync.

Provider	Source	Notes
Microsoft Entra ID (Azure AD)	Authentication-methods report, keyed by userPrincipalName	Empty map (stays unknown) if the app lacks the report permission
Google Workspace	isEnrolledIn2Sv on the directory user	Direct boolean when present
Okta	Active enrollment factors per user	Enrollment means at least one active factor; fan-out is bounded; errors leave it unknown

LDAP, AWS, and inbound SCIM expose no MFA signal, so synced employees stay null.

Coverage gaps

An employee who is both exposed in a breach and not MFA-enrolled is the highest-priority remediation target: their leaked credentials have no second factor standing in the way. This pairing also feeds Risk Scoring indirectly through the session-artifact signal, since captured session cookies and tokens bypass MFA entirely.

See Directory Integrations for connector setup and Remediation for the actions you can take against an at-risk account.