@Daniel Birrell - thanks for your question.
There could be various legitimate reasons why MFA wasn't applied in this case. In the sign-in logs, do any of the other detailed tabs for the sign-in provide any additional information - for example, in the "Basic Info", do the "Additional details" provide any hints, such as a previous MFA claim being in the sign-in token (which would indicate that the user had an earlier sign in which did have MFA, in which case you should search for previous sign-ins from the same user).
Ultimately, if there's nothing obvious from the logs, the best bet would be to raise a support ticket as support should be able to dig into your logs and fully understand what is going on.
-----
If this has helped at all, please upvote and "mark as answer" to help others with similar questions in the future