Thank you for posting this in Microsoft Q&A.
As I understand some users in your organization are getting prompted to register MFA in authenticator app. These users doesn't fall under any of the CA policy to prompt for MFA.
Also, since CA policies are configured, security defaults is out of questions.
All you can check is below features,
- Check authentication methods tab inside one of the user properties in Entra portal and confirm if these users have not registered for any MFA methods. If these users have already registered for Phone SMS or voice MFA then registration campaign is the feature that you can check to confirm if it is enabled.
- Check registration campaign and confirm if it is disabled or enabled. If it is enabled then you can exclude few users who were prompted for MFA and check if the issue still persists.
Follow steps to check registration campaign,
- Login to https://entra.microsoft.com/ using global administrator credentials.
- Click on Protection blade on the left pane and then select "Authentication methods".
- Click on registration campaign and Edit button on the top.
- If this also doesn't fix the issue, then check if you have configured any policies under Identity protection. (User risk policy or Sign-in risk policy). https://portal.azure.com/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/SignInPolicy
- If above features are all disabled then you can check if per-user MFA is enabled for these users.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.