Recently for a client of mine I enabled Security Defaults in Azure AD to help secure the accounts with MFA (primarily in Microsoft 365). Unfortunately it seems that even though Security Defaults is enabled it isn't applying to people when they login to Microsoft 365, it just lets them in without needing to do MFA. If they login to the Azure portal they do get the MFA prompt which is what I would expect. I should note that I am logging in with a new "guest" browser session each time, which should prompt me for MFA no matter what since it should be classified as a "new" device.
I was sure this was working before in my tenant, but when I tested it out I get the same behavior (no MFA prompt in M365, MFA prompt in Azure Portal). Am I completely crazy or did something change in the last year with respect to Security Defaults where it no longer applies to Microsoft 365 logins anymore?