I am trying to create an global admin user that is not required to set up MFA. (It's a temporary user for a migration.) The 365 tenant has security defaults enabled, so I disabled them and created a conditional access policy that enforces MFA for everyone except the admin user I'm using for the migration. However, the MFA prompt still comes up for this user. I tried creating a new user, and excluded it from the MFA policy before the first login, but am still getting prompted to configure MFA. Per-user MFA is not enabled for either admin account. What else could be forcing MFA?
I tried this...
https://learn.microsoft.com/en-us/answers/questions/549021/a-user-is-excluded-in-conditional-access-policy-bu.html
but those options are grayed out and the identity protection policy does not appear to be enabled anyway.
Any thoughts?