We recently transitioned from one AAD tenant to another due to an organizational rename. In the prior tenant, we were using Azure MFA and (via the MFA service portal) had been marking users as "Enforced". In the new tenant, we’ve instead implemented Azure AD Identity Protection and Conditional Access rules that dictate when MFA is required.

My understanding is that the "Enforced" status in the old MFA portal basically means that all sign ins that are not from the list of trusted IPs will have an MFA challenge run (which could be satisfied by the device token that is good for n days, as configured within the portal).

For the AAD-IP + CA scenario, MFA is enabled for all users (they are enabled for automatic registration) but MFA challenges are only brought when the conditions in the CA rules or behavioral analysis done by AAD-IP says that an MFA challenge is warranted. That challenge is subject to the trusted IPs and token as configured in the old MFA portal.

My understanding is that this should be set up as an either/or and not both (old style Enforce and the alternative AAD-IP+CA). Users have noticed a distinct lessening of MFA challenges (and they like it, but that would be expected).

The Microsoft Secure Score is registering a zero for us under the AAD-IP+CA scenario as it is looking specifically for the Enforced tag to be enabled on user accounts (since that is something that it can actually query).

Question is whether I’m significantly less secure under this setup or not. I still get MFA challenges when my account is accessing things in ways that I would expect to be challenged. We have seen users get "saved" by MFA when an external actor guesses their password. So, I assume that I’m in a working state.

Just trying to figure out if others are configured similarly or am I way off base in how I’m doing things.