Always prompt for MFA for an Enterprise Application
I'd like to mark a particular Enterprise Application as "critical" and always ask for MFA when a user is accessing it regardless of their logged in state.
I.e. when accessing Payroll (SuccessFactors) or our Remote Access Tool - I want to ensure MFA is being asked for again (and again) every time the close that browser window/session/tab even if the user has a logged in session to O365 - any other enterprise app is fine and can be accessed if user is already logged in.
Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.