Below is the list of services/setting that can contribute to unexpected MFA prompt:
- Conditional Access Policy (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)
- Azure AD Identity Protection (https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
- Security Defaults (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
- Per-user MFA (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates)
- Intune device enrollment (https://learn.microsoft.com/en-us/mem/intune/enrollment/multi-factor-authentication)
- On-premises ADFS server (https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
- MFA to join devices to Azure AD (https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings)