I have a freshly created tenant, and all users have Microsoft 365 Business Premium.
The tenant shows licensed as P1 since P1 is included in Microsoft 365 Business Premium.
The tenant had "Security Defaults" turned on already, and that is what I want.
All users were prompted to set up MFA with a 14-days grace period when they first logged in.
When the users signed in the first time on a new AAD joined Windows 10 device, login prompted them for their 2FA, which proved MFA working.
However, users are never challenged with MFA when they log in from any other device (e.g., BYOD) accessing resources through portal.microsoft.com, such as Outlook on the web.
The documentation on security default is not clear to me and says: "Requiring users to perform multi-factor authentication when necessary."
When exactly should we expect the users to be challenged by MFA?
The fact that the users are not prompted for 2FA on an unknown device scares me a lot. Do we need to set up conditional access policies for this?
But then, what is the idea behind security defaults at all?
Meanwhile I found this blog post which is in line with my experience. Still, it would be very valuable to have some more insights into how the system detects risky activities.