Hi @37040339,
I have received confirmation from products team that Security Defaults doesn’t always prompt the user for MFA. It only does so when necessary (if Azure AD detects some sort of risky sign-in).
However, you can see the source of the authentication requirement for a sign-in by going to the Azure AD sign-in logs and clicking on the authentication details tab. At the top, it shows which policies applied (e.g. Security Defaults, Conditional Access, Per-user MFA) and then you can see which Authentication methods were used to sign-in and which authentication requirements (e.g. single factor, MFA) it satisfied. (See screenshots below)
Please let me know if you have any other questions.
Thanks
Saurabh
----------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.