What's the expected MFA behaviour on a tenant with Security Defaults enabled?

Question

Hi,

I have a freshly created tenant, and all users have Microsoft 365 Business Premium.
The tenant shows licensed as P1 since P1 is included in Microsoft 365 Business Premium.
The tenant had "Security Defaults" turned on already, and that is what I want.

All users were prompted to set up MFA with a 14-days grace period when they first logged in.
When the users signed in the first time on a new AAD joined Windows 10 device, login prompted them for their 2FA, which proved MFA working.

However, users are never challenged with MFA when they log in from any other device (e.g., BYOD) accessing resources through portal.microsoft.com, such as Outlook on the web.
The documentation on security default is not clear to me and says: "Requiring users to perform multi-factor authentication when necessary."

When exactly should we expect the users to be challenged by MFA?

The fact that the users are not prompted for 2FA on an unknown device scares me a lot. Do we need to set up conditional access policies for this?
But then, what is the idea behind security defaults at all?

Thanks.

Update 1:
Meanwhile I found this blog post which is in line with my experience. Still, it would be very valuable to have some more insights into how the system detects risky activities.

Answer 1

Hi @Sebastian Zolg , the 14 day grace period is the amount of time users have to register MFA. The "when necessary" phrase just means however you have MFA setup. For your situation you could use per-user MFA. This article goes into detail on how you can change how often users are prompted for MFA, and can keep them signed in. Azure MFA is very configurable, so tweaking settings to your needs should fix any issues you have. Please let me know if I can help with anything else!

If this answer helped you, please mark it as "Verified" so other users may reference it.

Thank you,
James