Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management
Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.
Please allow us to force PIM to acquire a new MFA claim on elevation.
An interesting caveat to this is when you have federated your AAD auth with another vendor such as Okta, for example. In this case, the MFA available from that 3rd party is ignored and AAD MFA becomes required. This creates an inconsistent and undesireable MFA experience require 2 separate MFAs to gain access. So while I can see that some would like a secondary MFA on PIM access, others of us would not. We should be able to fully turn off MFA in PIM if we so choose. Under current configuration, certain PIM roles are excluded from being able to not have MFA. Since we already have MFA, you are requiring us to have MFA twice.