It depends on how this service account access Entra services
- Microsoft 365
- Microsoft Entra admin center
- Access Panel
- Federated applications
- Custom applications using Microsoft Entra ID
Generally I would set to No and then use the CA policy to force a user to register MFA and SSPR when accessing Entra