Require MFA for permanent highly privileged roles
If you make a eligible role assignment for Global Administrator via PIM it enforces MFA for role activation.
This is the case for several highly privileged roles and cannot be changed. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings#multi-factor-authentication
However, if you assign the role permanently, shouldn't this always enforce MFA for the user?
I understand this change could have a big UX impact and with the new baseline admin conditional access we already have a good way for protection in preview. But if thats the way Microsoft wants to go, shouldnt the baseline CA policy and the highly privileged PIM roles match?
Sean Stark commented
You should not be making this decision for customers. As Joel pointed out many customers don't leverage Azure MFA and are federated with a third party MFA provider. Fairly disappointed in this decision..
Making MFA a requirement vs a choice is not a good idea. For example, many organization federate their Azure AD authentication to a 3rd party provider like Okta for example. In such, cases, the organization may have already addressed MFA via their 3rd party authentication provider (perhaps even universally as a requirement for all users). Requiring a separate Azure MFA on top of the 3rd party MFA is just silly double MFA noise.