Hi @jfgriff-1153 ,
Is there any chance that some of those users completed the registration either before the MFA was enabled or before it was re-enabled? If MFA is re-enabled on a user object that already has registration details, such as phone or email, then administrators need to have that user re-register MFA via Azure portal or PowerShell. If the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI.
If this is the case, the status will change to Enforced if they register again.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates