Respect exclusions for MFA registration vulnerability assessment
Azure AD Identity Protection may show a medium risk vulnerability, "Users without multi-factor authentication registration", even though all in scope users are registered for MFA. The issue here is that excluded users appear to be factored into this vulnerability assessment.
In our case, the only users not enabled for MFA are service accounts which shouldn't have MFA enabled (e.g. Azure AD Connect), and are thus explicitly excluded from our MFA registration policy in Azure AD Identity Protection.
Apart from the warning on the Azure AD Identity Protection dashboard, this also results in getting a warning every week in our security snapshot report, which is misleading and unhelpful. We only want to know if users which should be registered for MFA are not. By factoring in the excluded users we always get a warning, making this vulnerability assessment effectively useless as a security assessment.