MFA for the the Azure portal only
We use MFA for the Azure portal, but enabling this carries the MFA functionality to the entire Microsoft suite. This means not only portal.office.com, but all of our applications that use Azure AD, Skype, Exchange OWA, even Yammer! I opened a ticket and was essentially told MFA is all or nothing at this point.
Ben Hatton commented
Extending this, I can confirm that MFA via conditional access against "Microsoft Azure Management" also fails, as the setting will force MFA for (at least) powerapps.
Get your act together please - perfoming an OAuth login or obtaining a token for Graph API is not Microsoft Azure Management - It's end-user interaction with AAD.