Force admins to verify via MFA with every activation request
If PIM role activation requires MFA verification the MFA back-end will abide by the "Don't prompt me again for X days" option which results in admins not being prompted to verify for a role activation.
PIM should allow for the ability to ignore this setting and prompt admins every time they activate an admin role even though they may not have been prompted when logging into the Azure portal. Placing the MFA gate in front of admin role activation is the whole point to PIM.
Dominic Corso commented
There seems to be an issue with KMSI and PIM MFA as well. We can go days without being prompted for MFA using PIM. It seems PIM should be coded to ignore what is in the Token regarding MFA.